locked
Get-WinEvent: enter a value for the Id from a specific log RRS feed

  • Question

  • Hello Scripter experts,

    I am looking to update this script that will allow me to enter a value in the line when choosing option"pressing 3". For example, if I hit 2 to show me log events and I want to get more info such as EventData, the syntax in this line will give me info that includes Id for that specific log which this Id (would like to use) can then be output the EventData for that log in the Application section. So when I press 3, I'd like it to where it ask me what value [Id] I want to enter. Any help is greatly appreciated.

    function Show-Menu
    {
         param (
               [string]$Title = 'Get Event Logs'
         )
         cls
         Write-Host "================ $Title ================"
        
         Write-Host "1: Press '1' Quick log"
         Write-Host "2: Press '2' Get Event log message"
         Write-Host "3: Press '3' GetEvent via Id [LogName] Application"
         Write-Host "4: Press '4' to open EventViewer"
         Write-Host "Q: Press 'Q' to quit."
    }
    do
    {
         Show-Menu
         $input = Read-Host "Please make a selection"
         switch ($input)
         {
               '1' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    group logname –NoElement
               } '2' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    select logname, timecreated, id, message, source
               }
                 '3' {
                    cls
                    $events = get-winevent -FilterHashTable @{logname = "Application"; ID = 1000}
                    $events[0] | Format-List *
               } '4' {
                    cls
                    Show-EventLog
               } 'q' {
                    return
               }
         }
         pause
    }
    until ($input -eq 'q')

    Monday, July 30, 2018 6:10 PM

All replies

  • Please post code using the code posting tool provided. Edit you original post please.


    \_(ツ)_/

    Monday, July 30, 2018 6:38 PM
  • Hello Scripter experts,

    I am looking to update this script that will allow me to enter a value in the line when choosing option"pressing 3". For example, if I hit 2 to show me log events and I want to get more info such as EventData, the syntax in this line will give me info that includes Id for that specific log which this Id (would like to use) can then be output the EventData for that log in the Application section. So when I press 3, I'd like it to where it ask me what value [Id] I want to enter. Any help is greatly appreciated.

    function Show-Menu
    {
         param (
               [string]$Title = 'Get Event Logs'
         )
         cls
         Write-Host "================ $Title ================"
        
         Write-Host "1: Press '1' Quick log"
         Write-Host "2: Press '2' Get Event log message"
         Write-Host "3: Press '3' GetEvent via Id [LogName] Application"
         Write-Host "4: Press '4' to open EventViewer"
         Write-Host "Q: Press 'Q' to quit."
    }
    do
    {
         Show-Menu
         $input = Read-Host "Please make a selection"
         switch ($input)
         {
               '1' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    group logname –NoElement
               } '2' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    select logname, timecreated, id, message, source
               }
                 '3' {
                    cls
                    $events = get-winevent -FilterHashTable @{logname = "Application"; ID = 1000}
                    $events[0] | Format-List *
               } '4' {
                    cls
                    Show-EventLog
               } 'q' {
                    return
               }
         }
         pause
    }
    until ($input -eq 'q')

    You already use Read-Host to fill the $input variable, why not continue to use it to get the data for the log file name and the event-id?

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Monday, July 30, 2018 9:13 PM
  • Thanks for the reply. I have added the read-host part for option 3 but I think at this point, I'm not sure how to trigger the value to run/open that specific log based on the Id I enter.

    I was hoping to delete the ID = 1000 below and make it where, what ever number I select matches to the log I just viewed and will open it.

       '3' {
                    cls
                    $events = get-winevent -FilterHashTable @{logname = "Application"; ID = 1000}

     
    Tuesday, July 31, 2018 12:30 PM
  • Start here with the following:

    1. Learn PowerShell  
    2. PowerShell Documentation
    3. PowerShell Style Guidelines

    You are asking a question that shows you have not taken the time to learn basic PowerShell.  In effect you are asking for us to write your code one line at a time.  That is not the purpose of this forum.


    \_(ツ)_/

    Tuesday, July 31, 2018 12:37 PM
  • jrv- what's your problem? I only seek assistant and I've seen a lot of post where people provide scripts right away. Wow dude, you need to get laid and get a life. I know PS at a basic level but even this is too advance for me, hence for posting. The previous guy posted a suggestion, not a script and I figured it out. 

    Feel free to remove this post. It's pointless when there's people like you here. The script I'm using works anyway. Would've been better if it was automated and not manual..

    Tuesday, July 31, 2018 2:06 PM
  • The question you asked was answered.  Asking a new question is tantamount to asking us to write the code one line at a time.

    Anyone who had taken the minimum amount of time to learn PowerShell would have the answer.

    Don't be lazy.  If you are a tech then do what tech do and learn the tool you are seeking to use.

    Getting angry and nasty only further shows that you are just looking for others to do your work.  Most of use spend significant time studying the technology we use.  We take offence when others attempt to bypass this and have other people do their work and thinking for them.  You are not a professional.  If you want to be a professional tech then learn how to use the documentation provided.

    The links posted will teach you the basics of PowerShell.  Ignore them if you like.  It will not improve your skills to do so.


    \_(ツ)_/

    Tuesday, July 31, 2018 2:13 PM
  • The lest you could do is to learn to use PowerShell help;

    help about_variables

    Also, to be clear, technical forums ae not for free training in PowerShell basics.

    The following will help you to set your expectations for technical forums.


    \_(ツ)_/

    Tuesday, July 31, 2018 2:33 PM
  • Thanks for the reply. I have added the read-host part for option 3 but I think at this point, I'm not sure how to trigger the value to run/open that specific log based on the Id I enter.

    I was hoping to delete the ID = 1000 below and make it where, what ever number I select matches to the log I just viewed and will open it.

       '3' {
                    cls
                    $events = get-winevent -FilterHashTable @{logname = "Application"; ID = 1000}

     

    $evid = Read-Host "some prompt: "

    Then replace the "1000" in your example with the variable $evid.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Tuesday, July 31, 2018 3:21 PM
  • For people who may be interested and find this useful. This script works for me where I've filtered the date and the window log you parse will match based on that Id.

    $ErrorActionPreference = 'SilentlyContinue'
    $Host.UI.RawUI.BackgroundColor = ($bckgrnd = 'Black')
    [console]::ForegroundColor="DarkGreen"
    function Show-Menu
    {
         param (
               [string]$Title = 'Get Event Logs'
         )
         cls
         Write-Host "================ $Title ================"
        
         Write-Host "1: Press '1' Quick log"
         Write-Host "2: Press '2' Get Event log message"
         Write-Host "3: Press '3' GetEvent via Id for LogName Application"
         Write-Host "4: Press '4' GetEvent via Id for LogName System"
         Write-Host "5: Press '5' Open EventViewer"
         Write-Host "Q: Press 'Q' to quit."
    }
    do
    {
         Show-Menu
         $input = Read-Host "Please make a selection"
              switch ($input)
         {
               '1' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    group logname –NoElement
               } '2' {
                    cls
                    Get-WinEvent @{logname='application','system';starttime=[datetime]::today;level=2 } |
                    select logname, timecreated, id, message, source | Format-Table -wrap
               }
                 '3' {
                    cls
                    $log = Read-Host "Enter Windows Log to Parse"
                    $evtID = Read-Host "Enter Event ID"
                    $filterDate = (Get-Date).AddDays(-1)
                    Get-WinEvent -FilterHashtable @{logname='Application'} | where {$_.Id -eq $evtId} | Where-Object {$_.TimeCreated -ge $filterDate} | Select ContainerLog, TimeCreated, id, message, ProviderName | Sort-Object -Descending
                    $events[0] | Formate-table -wrap
               } '4' {
                    cls
                    $log = Read-Host "Enter Windows Log to Parse"
                    $evtID = Read-Host "Enter Event ID"
                    $filterDate = (Get-Date).AddDays(-1)
                    Get-WinEvent -FilterHashtable @{logname='System'} | where {$_.Id -eq $evtId} | Where-Object {$_.TimeCreated -ge $filterDate} | Select ContainerLog, TimeCreated, id, message, ProviderName | Sort-Object -Descending
                     $events[0] | Formate-table -wrap
               } '5' {
                    cls
                    Show-EventLog
               }
                    'q' {
                    return
               }
         }
         pause
    }
    until ($input -eq 'q')

    Thursday, August 2, 2018 12:58 PM
  • This would be much faster as using "Where" allows all records in the log to be returned before they are filtered.  Using the FilterHash causes the eventlog to use indexes to only return the required data.

    The records are returned in descending order - newest first.  To get the one newest record for any ID use "MaxEvents 1".

        '3' {
            cls
            $log = Read-Host 'Enter Windows Log to Parse'
            $evtID = Read-Host 'Enter Event ID'
            $filterDate = (Get-Date).AddDays(-1)
            Get-WinEvent -FilterHashtable @{logname=$log;ID=$evtId;StartTime=$filterDate} -MaxEvents 1 | 
                Select ContainerLog, TimeCreated,id, message, ProviderName |
                Format-Table -AutoSize
        }
    

    If you just want todays newest event for that ID you don't need "Startdate".  Just use the ID and MaxEvents.

    This is why spending some time learning the CmdLets completely can save a lot of time and improve your coding skills.


    \_(ツ)_/

    Thursday, August 2, 2018 1:19 PM