none
Help appending how many times an event ID has occurred next to the unique Event ID. RRS feed

  • Question

  • Hello,

    I am trying to figure out how to find how many times an event occurred and then append that next to the single  -unique Event ID.

    The closest I can find is the Sort-Object Count but I can't figure out how to get that work within the below script.

    Any help would be appreciated, the below script works already. but just doesn't have that Event ID count. 

    Thank you for any help. 

    Below is the script to pull all Event Logs for each server, filter them to only display Warnings, Failures, and FailureAudits for Application, System, and Security logs and then remove all duplicate EventIDs so only 1 of each is shown. it then exports that info into a .CSV per server.

    param([string]$days= "31" )
    $servers = @("Server1", "Server2" "Server3", "Etc")
     
    $user = Get-Credential
    #Set namespace and calculate the date to start from
    $namespace = "root\CIMV2" 
    $BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-$days))
    $store = "C:\Powershell\MonthlyMaintenance"
    foreach ($computer in $servers)
     
    {    
    $filter="TimeWritten >= '$BeginDate' AND (type='Warning' OR type='Error' OR type='FailureAudit')"
     
    Echo "Pulling Event Logs for $computer ..."
     
    Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | 
        sort eventcode -unique |
        select Computername, 
                  Logfile,
                  Type,
                @{N='TimeWritten';E={$_.ConvertToDateTime($_.TimeWritten)}},
                SourceName,
                Message,
               Category,
               EventCode,
               User | 
        Export-CSV C:\Powershell\MonthlyMaintenance\$computer-Filter.csv
     
    }     
    Echo "Done."

    Tuesday, April 7, 2015 6:02 PM

Answers

  • You can get an aggregate of data or you can get detail.  You cannot get both at the same time.  Similar to Heisenberg's Principal.  The laws of data don't allow this.

    You can customize the results and get added info.

    Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | 
      Group-Object EventCode | 
        Select @{N='EventCode';E={$_.Name}},Count, @{N='ComputerName';E={$computer}} |
        Sort Eventcode

    That is about all you can do except for pulling items from "group"


    \_(ツ)_/



    • Edited by jrv Wednesday, April 8, 2015 9:39 PM
    • Marked as answer by Ranmatt Wednesday, April 8, 2015 11:31 PM
    Wednesday, April 8, 2015 9:38 PM

All replies

  • Get-WmiObject Win32_NTLogEvent -computername $computer -Filter$filter |
        Group-Object EventCode |
        Select Name,Count |
        FT -auto


    \_(ツ)_/

    Tuesday, April 7, 2015 6:44 PM
  • Unfortunately adding that to the script just outputs a bunch of jargon:

    #TYPE Microsoft.PowerShell.Commands.Internal.Format.FormatStartData
    ClassId2e4f51ef21dd47e99d3c952918aff9cd pageHeaderEntry pageFooterEntry autosizeInfo shapeInfo
    033ecb2bc07a4d43b5ef94ed5a35d280 Microsoft.PowerShell.Commands.Internal.Format.AutosizeInfo Microsoft.PowerShell.Commands.Internal.Format.TableHeaderInfo
    9e210fe47d09416682b841769c78b8a3

    I did try adding it in various ways and removing the initial # Sort EventCode -unique | # and I just get the same jargon

    Am I adding it in wrong some how? 

    Thank you again for any help.

    param([string]$days= "31" )
    $servers = @("ComputerName")
    
    $user = Get-Credential
    #Set namespace and calculate the date to start from
    $namespace = "root\CIMV2" 
    $BeginDate=[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-$days))
    $store = "C:\Powershell\MonthlyMaintenance"
    foreach ($computer in $servers)
    
    {    
    $filter="TimeWritten >= '$BeginDate' AND (type='Warning' OR type='Error' OR type='FailureAudit')"
    
    Echo "Pulling Event Logs for $computer ..."
    
    Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | 
        sort eventcode -unique |
        select Computername, 
                  Logfile,
                  Type,
                @{N='TimeWritten';E={$_.ConvertToDateTime($_.TimeWritten)}},
                SourceName,
                Message,
               Category,
               User,
               EventCode | Select Name,Count | FT -auto|
                
        Export-CSV C:\Powershell\MonthlyMaintenance\$computer-Filter.csv
    
    }     
    Echo "Done."
    


    Wednesday, April 8, 2015 7:39 PM
  • You cannot use both Format table and export. You will get garbage.  Run the code as I posted it and try to understand what I did and why.


    \_(ツ)_/

    Wednesday, April 8, 2015 8:01 PM
  • Ok, I got the count feature to work with #  Group-Object EventCode | Select Name,Count | #

    #TYPE Selected.Microsoft.PowerShell.Commands.GroupInfo
    Name Count
    1000 14
    200 35

    etc etc

    But I can't get it to append at the end in a new column with all the other information. It is either I get the count or the Event Log Details. I've been trying a bunch of different ways and no luck.

    Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | select Computername, Logfile, Type, @{N='TimeWritten';E={$_.ConvertToDateTime($_.TimeWritten)}}, SourceName, Message, Category, User, EventCode | # I can either comment out the count or the -unique below and it works but I can't get

    # the count to append at the end of the Event Log information next to the Event ID, it just
    # overwrites everything
    Group-Object EventCode | Select Name,Count | sort eventcode -unique |

    Thank you again.

    Wednesday, April 8, 2015 9:26 PM
  • You can get an aggregate of data or you can get detail.  You cannot get both at the same time.  Similar to Heisenberg's Principal.  The laws of data don't allow this.

    You can customize the results and get added info.

    Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | 
      Group-Object EventCode | 
        Select @{N='EventCode';E={$_.Name}},Count, @{N='ComputerName';E={$computer}} |
        Sort Eventcode

    That is about all you can do except for pulling items from "group"


    \_(ツ)_/



    • Edited by jrv Wednesday, April 8, 2015 9:39 PM
    • Marked as answer by Ranmatt Wednesday, April 8, 2015 11:31 PM
    Wednesday, April 8, 2015 9:38 PM
  • You might have better luck with this:

    $computer=$env:computername
    Get-WinEvent -FilterHashtable @{LogName='System','Application';Starttime=$([datetime]::Today)} -computer $computer |
        group logname,id|
        ForEach-Object{
            [pscustomobject]@{
                CoomputerName=$computer
                Logname=$_.Name.Split(',')[0]
                EventCode=[int]($_.Name.Split(',')[1])
                Count=$_.Count
            }
        } |
        sort LogName,eventcode |
        Format-Table -AutoSize
    
    
        


    \_(ツ)_/

    Wednesday, April 8, 2015 9:54 PM
  • I've actually got it set to just create a new CSV with the Event ID and the count:

       Get-WmiObject Win32_NTLogEvent -computername $computer -Filter $filter | 
        group-object EventCode | Select Name,Count | 
                
        Export-CSV C:\Powershell\MonthlyMaintenance\$computer-Count.csv

    And I have it so the Count CSV will be added to the workbook in a new column next to all the Event Log Details, the one issue I am having now is that the Event Log Details descend in order of lowest Event ID to highest and I need the count CSV to do the same or else the count does not match.

    But I am having a surprisingly hard time getting the count to go from lowest Event ID to highest.

    I've tried various ways but I belivee one of these shoudl work but no luck, is there another command I am just not finding?

    group-object EventCode | Select Name,Count | Sort Name -descending

    group-object EventCode | Select Name,Count | Sort Name -unique

    Thank you,

    Wednesday, April 8, 2015 11:21 PM
  • Sorry - you keep changing and expanding the problem.  We answered your original question.

    I suggest spending time reading the full help for the CmdLets.  Learn how to adjust your code to obtain the results you want.


    \_(ツ)_/

    Wednesday, April 8, 2015 11:29 PM