Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Windows Client >
Wevtutil command options for Date

Answered Wevtutil command options for Date

  • Thursday, August 18, 2011 5:06 PM
     
     
    Sign In to Vote
    0

    On a Windows 7 System, I want to export logs of a particular day into an xml file. I have tried using wevtutil but failed to get a query to read data for a particular day! Any help here ...

    I have tried till now wevtutil options and can output the whole eventlogs of Application or System into an XML file. I want the XPath to give me values only for say 2011-08-15.

    Thanks in advance!

    Vincent, Mountain View, CA
     

All Replies

  • Thursday, August 18, 2011 10:29 PM
    Answerer
     
     Answered
    Sign In to Vote
    0

    For example, to get all System log events recorded on 2011-08-18, type the following command:

    wevtutil qe System "/q:*[System[TimeCreated[@SystemTime>='2011-08-18T00:00:00' and @SystemTime<'2011-08-19T00:00:00']]]"

    If you want to allow for timezones, then use the following date formats in the above command (the example supposes your time zone is -7 hours from UTC): '2011-08-18T00:00:00-07:00' and '2011-08-19T00:00:00-07:00'

    The Event Log XML schema is documented in MSDN and in the Windows SDK: http://msdn.microsoft.com/en-us/library/aa385201(v=VS.85).aspx

    If you don't have the time to learn XPath, open Event Viewer, expand any event log, click Action, Filter Current Log, build the filter using the dropdown boxes and checkboxes, then click the XML tab to see your query in XPath format.

    Microsoft MVP Windows Expert Consumer | http://www.wintecnico.com

     
  • Wednesday, January 30, 2013 9:43 PM
     
     Proposed
    Sign In to Vote
    0

    When trying to use the command above I was getting the following error:

    A syntax error occurred at position 33

    Failed to open event query. The specified query is invalid.

    After some troubleshooting I notice that you have to use the actual "<=" and ">=" operators, instead of "&lt;" and "&gt;". So the correct command to get all System log events recoded on 2013-01-30 should be:

    wevtutil qe System "/q:*[System[TimeCreated[@SystemTime>='2013-01-30T00:00:00' and @SystemTime<='2013-01-31T00:00:00']]]"

    I hope this saves you some time.

    • Proposed As Answer by Nuno Alexandre Thursday, January 31, 2013 12:05 AM
    •