27 January,2016 by Tom Collins
Question: How can I return a Windows Event Logs recordset within a date range? I’m troubleshooting a recurring issue across certain servers, and needed a Powershell scripted method of returning Windows Events from the System event log , event id ,start date, end date.
Answer: For filtering event log details I use the Get-WinEvent Powershell cmdlet. The -FilterHastable switch manages the parameters . Let’s look at some basic examples.
Example 1 : Find all events from the System log of the event id 36874 between the 01/12/15 and 21/12/15
Get-WinEvent -FilterHashtable @{logname='system';id=36874;StartTime="01/12/15";EndTime="21/12/15"}
Example 2: Find all events from the Application log between a date range
Get-WinEvent -FilterHashtable @{logname='application;id=256;StartTime="01/01/16";EndTime="21/01/16"}
Example 3 : Find all events from the Application log between a date range and limit results to 10
Get-WinEvent -FilterHashtable @{logname='application;id=256;StartTime="01/01/16";EndTime="21/01/16"} -MaxEvents 10
These Get-WinEvent examples will get you started on extracting Windows Events. One of the interesting thing about Get-WinEvent is the capacity to extract messages from different Event log providers.
Use the -ListLog switch in the Get-WinEvent powershell cmdlet to extract the list of logs on a machine . You’ll be amazed at the list of log sets and types available. There is great potential in combining resultsets from different logs when troubleshooting
Get-WinEvent –ListLog *
The alternative way of extracting Windows Event Logs is via the Get-EventLog cmdlet. Although easier to learn it doesn't have the same breadth of filtering capacity.
Powershell Get-EventLog and Event Log messages - SQL Server DBA
Expand your Powershell mind – Three key cmdlets - SQL Server DBA
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |