locked
How to add GroupInfo object results to custom object and output RRS feed

  • Question

  • Hi there

    I am trying to write a script to query multiple servers eventlogs taking top 100 entries - and then group the results by message and sort it by top 10 - getting the results back is fine but when i group it using group-object and try to add the results to a PSCustomobject i am not getting the results i should see? Basically i just see - 'Microsoft.PowerShell.Commands.GroupInfoNoElement' for logentries I do get the machine name custom property back also it would be nice to include the Source property but not sure how to do it? Here is the code - has anyone accomplished this before and if so could you help please?



    [CmdletBinding()]

        param(
        [Parameter(
        Mandatory=$true,
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true

        )]
        [String[]]$targetmachine,


        [parameter( Mandatory=$true, Position=1)]
        [ValidateSet("Application","System")] 
        [string]$log,

        [parameter( Mandatory=$true, Position=2)]
        [ValidateSet("Error","Warning")] 
        [string]$eventtype

    )


    begin{




    $machinelogs=@()
    $credential = Get-Credential
    }





    process{




         function Get-Log($target,$log,$eventtype)
        {

            try{
            $evt=$null
            $evt = Invoke-Command -ComputerName $target `
                        -ScriptBlock{

                            Get-EventLog -ComputerName $using:target -LogName $using:log -EntryType $using:eventtype -Newest 100
                                
                } -Credential $credential -ErrorAction Stop
                }catch{Write-Host -ForegroundColor Green "Failed to connect to remote server $target"}

            
        }
        
       foreach($target in $targetmachine)
       {
                     $machineevents=@()
                     $events=@()
                    Get-log $target $log $eventtype
                  
                    $eventdata = $evt | group -Property message -NoElement | sort count -Descending | select -First 10
                              
                    $obj = New-Object psobject -Property @{
                        MachineName = $target
                        LogEntries = $eventdata

                    }
                    
                 $machineevents += $obj
                   
        }
       
        
        $machineevents

     
    }  #endprocess      

    end{

       # $machineevents | Out-GridView -Title "Machine Events"


    }
                

    Tuesday, January 23, 2018 4:57 PM

Answers

  • Which is why we don't use Get-EventLog as it is obsolete. Use Get-WinEvent for all system from Vista and later.

    Get-WinEvent I always faster if you know hw to use it.  You need to specify the event type in a filter hash.  It is really called "Level" and can specify multiple levels

    @{Logname='Application';Level=2,3,4}


    \_(ツ)_/

    • Marked as answer by nickkinn Monday, February 5, 2018 9:34 PM
    Monday, January 29, 2018 9:10 AM

All replies

  • You are using Invoke and a computer name on the Get-EventLog.   This is unnecessary and will give you bad results.

    Also use Get-WinEvent as it is faster and can query the new event logs correctly.  Using multiple functions for this is pointless and will make your task almost impossible to debug.

    You cannot group on message because the text can and will be different on almost every event. Use EventID

    Get-WinEvent -Computer remotepc -MaxEvents 100

    This will return the latest 100 events from all logs

    Get-WinEvent -Computer $computerlist-MaxEvents 100 | Group PsComputerName

    This will generate  groups by computer.

    Get-EventLog is only useful for systems pre-Vista and is maintained for backward compatibility.

    Help Get-WinEvent -Online
    help Group-Object -Online


    \_(ツ)_/

    • Proposed as answer by BOfH-666 Tuesday, January 23, 2018 5:43 PM
    Tuesday, January 23, 2018 5:25 PM
  • Hi there - 

    thanks for the input - indeed your right about the function is pointless and redundant - however the use of invoke-command is necessary because get-eventlog cannot be run against the servers without admin creds - and get-eventlog does not have a -credential parameter - while get-winevent does - for some reason (in this environment) it's actually slower - and get-eventlog - has the -entrytype param which is handy - thanks

    Monday, January 29, 2018 8:47 AM
  • Which is why we don't use Get-EventLog as it is obsolete. Use Get-WinEvent for all system from Vista and later.

    Get-WinEvent I always faster if you know hw to use it.  You need to specify the event type in a filter hash.  It is really called "Level" and can specify multiple levels

    @{Logname='Application';Level=2,3,4}


    \_(ツ)_/

    • Marked as answer by nickkinn Monday, February 5, 2018 9:34 PM
    Monday, January 29, 2018 9:10 AM