locked
PowerShell Get Event log and using the message argument and SLOW speed RRS feed

  • Question

  • The problem with get eventlog is it is god awful slow.

    Everyone wants you to pipe the results to a where statement which makes it 100x slower expressly when there is already a –message argument there.

    Problem is I am having little luck. Still taking 30 minutes or more and not producing any results even when looking for a computer I know is there

    Can you confirm the syntax is correct for this? If it is correct how do I make this usable?

    Thanks

    $before = (Get-Date).AddMinutes(-30) 
    $after = (get-date).AddMonths(-1) 
    
    $before
    $after
    
    
    
       Get-EventLog -LogName Security -ComputerName MSDCSERV02 -Before $before -Newest 2 -Message "*W410South$*"  


    Lishron

    Tuesday, April 14, 2015 6:24 PM

Answers

  • You should actually take the time to read the help.

    Look very closely at what you are allowed to filter on:

     help get-winevent -par filterhashtable

    You can specify the data fields.


    \_(ツ)_/

    • Marked as answer by Lishron Tuesday, April 14, 2015 9:07 PM
    Tuesday, April 14, 2015 8:27 PM
  • Get-WinEvent -FilterHashTable @{
        LogName = 'Security';
        StartTime = $([datetime]::Today.AddDays(-30));
        Data = 'W410South$'
    } -ComputerName 'MSDCSERV02' -MaxEvents 2

    I think this is what jrv is hinting at. Please note that data fields do not accept wildcards.

    • Marked as answer by Lishron Tuesday, April 14, 2015 9:07 PM
    Tuesday, April 14, 2015 8:59 PM

All replies

  • You should be using Get-WinEvent.  Get-Eventlog is only for WS2003 and earlier systems.

    HELP Get-WinEvent.

    Get-WinEvent -FilterHashTable @{Logname='Security';Starttime=$([datetime]::Today.AddDays(-1))}  -MaxEvents 5


    \_(ツ)_/


    • Edited by jrv Tuesday, April 14, 2015 6:39 PM
    Tuesday, April 14, 2015 6:39 PM
  • WOW i am surprised.  I have tried this and it is that much slower.

    Lishron

    Tuesday, April 14, 2015 7:08 PM
  • Your code looks better so i am using it but still the exact same results on speed.

    start the search, go make a pot of coffee get a nap maybe catch a movie and then it is done. 

    Get-WinEvent -ComputerName MSDCSERV02 -FilterHashTable @{Logname='Security';Starttime=$([datetime]::Today.AddDays(-30))}  |Where-Object {$_.message -like "*W410South*"}


    Lishron

    Tuesday, April 14, 2015 7:11 PM
  • Your code looks better so i am using it but still the exact same results on speed.

    start the search, go make a pot of coffee get a nap maybe catch a movie and then it is done. 

    I run a search and it takes a second ot two. You are running a search using WHERE. Don't do that.  Lean how to use the hashtable. Read the help and look at how you use it to search the properties of the "Message" field.

    Using "where" filters nothing.  It proceses every message After it is returned.  Using the "filter" the message properties are searched remotely as data.

    You should also narrow the results by selecting specific EvenIds (ID).

    Learning how to use the event log query engine takes some time but it will be worth it.  It is a requirement for all future activity.


    \_(ツ)_/


    • Edited by jrv Tuesday, April 14, 2015 7:59 PM
    Tuesday, April 14, 2015 7:57 PM
  • Thanks I do know how to filter by IDs but most every event is a log on or log off so that is no improvement.

    So the key to find my computer name is to search the message filed.  That I knew.  The help file gives examples using the pipe command and the where-object so that is of little to no use.  

    I have posted on another board and will goggle it as now i have a better way to define my google search

    I will close it when i have solved it and i will post the solution.


    Lishron

    Tuesday, April 14, 2015 8:18 PM
  • You should actually take the time to read the help.

    Look very closely at what you are allowed to filter on:

     help get-winevent -par filterhashtable

    You can specify the data fields.


    \_(ツ)_/

    • Marked as answer by Lishron Tuesday, April 14, 2015 9:07 PM
    Tuesday, April 14, 2015 8:27 PM
  • i know you are trying to give me the answer but i guess i am to stupid on this one.

    I am working with google and the help file.  Need to learn it better did not even know about -par 

    if i type (see below)

    If replace the word User or Computer with the actual name i need to find i get a big fat error that says I am  to stupid.  

     Get-WinEvent -ComputerName MSDCSERV02 -FilterHashTable  @{Logname='Security';Data="Computer"
    
    # Or 
    
     Get-WinEvent -ComputerName MSDCSERV02 -FilterHashTable  @{Logname='Security';Data="User"
    
    # Both work
    



    Lishron

    Tuesday, April 14, 2015 8:56 PM
  • Get-WinEvent -FilterHashTable @{
        LogName = 'Security';
        StartTime = $([datetime]::Today.AddDays(-30));
        Data = 'W410South$'
    } -ComputerName 'MSDCSERV02' -MaxEvents 2

    I think this is what jrv is hinting at. Please note that data fields do not accept wildcards.

    • Marked as answer by Lishron Tuesday, April 14, 2015 9:07 PM
    Tuesday, April 14, 2015 8:59 PM
  • OK JRV was not hinting he was right out and out telling me.

    Here is what i was doing wrong.

    Data="W410South$"  << note no spaces  gives me a big fat error that says I am to stupid and should unplug my PC.

    Data = "W410South$" works perfect.

    So much thanks to both of you.


    Lishron

    Tuesday, April 14, 2015 9:10 PM
  • Spaces are optional so you had something else wrong.

    Use Powershell help.  Google is pointless until you understand what PowerShell has to say.


    \_(ツ)_/

    Tuesday, April 14, 2015 9:22 PM