locked
Get-WinEvent is not showing computer name RRS feed

  • Question

  • Hi

    I need to pull out a computer name field value from the following command Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301}  | fl

    I am only seeing TimeCreated, ProviderName, Id, Message  fields,  ComputerName field is not there. 

    Is there anything I can do to get the value for ComputerName ?

    Thanks 

    Edit:

    So the computer name is actually MachineName field. I am able to retrieve it with the following command

    Get-WinEvent -LogName ForwardedEvents | select * | where {$_.ID -eq 256}  | fl

    If i try Get-WinEvent -LogName ForwardedEvents | select MachineName  | where {$_.ID -eq 256}  

    I end up with an empty output.


    • Edited by net_tech Monday, February 12, 2018 5:04 PM
    Monday, February 12, 2018 4:27 PM

Answers

  • Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301}  | Select-Object -Property MachineName

    You would have gotten if you have tried Format-List * (fl *)

    Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301}  | fl *


    Regards kvprasoon

    • Marked as answer by net_tech Monday, February 12, 2018 5:36 PM
    Monday, February 12, 2018 5:11 PM
  • This is an inefficient way to query the event log.  You need to filter or you will return all records which can take a huge amount of time on a large system.

    Use the filter:

    Get-WinEvent -FilterHash @{LogName='ForwardedEvents';ID=256}  | fl


    \_(ツ)_/

    • Marked as answer by jrv Monday, February 19, 2018 6:53 PM
    Monday, February 12, 2018 11:37 PM

All replies

  • Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301}  | Select-Object -Property MachineName

    You would have gotten if you have tried Format-List * (fl *)

    Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301}  | fl *


    Regards kvprasoon

    • Marked as answer by net_tech Monday, February 12, 2018 5:36 PM
    Monday, February 12, 2018 5:11 PM
  • Thank you!
    Monday, February 12, 2018 5:36 PM
  • Can Select-Object -Property MachineName be moved in to where ?

    where {$_.ID -eq 301 and $ ???????????} 

    Thanks 

    Monday, February 12, 2018 5:58 PM
  • you can access it in where

    where {$_.ID -eq 301 and $.machinename -eq 'server'}

    I'm sure you are missing the basics.

    Have it from below link, this will surely help you.

    https://mva.microsoft.com/en-us/training-courses/getting-started-with-powershell-3-0-jump-start-8276


    Regards kvprasoon

    Monday, February 12, 2018 6:05 PM
  • $Computer = Get-WinEvent -LogName $logname | where {$_.ID -eq $eventID}  | Select-Object -Property MachineName 

    I am setting $Computer variable to the computer name from the field recorded in the event. 

    as a result i end up with the field name@value.

    I only need to get the value and not the field name 

    Thanks 

    Monday, February 12, 2018 6:11 PM
  • Select-Object -ExpandProperty MachineName

    I would recommend you to follow the link I've shared. These are very basic PowerShell.

    You should at least do

    Get-Help Select-Object -Full


    Regards kvprasoon

    Monday, February 12, 2018 6:47 PM
  • This is an inefficient way to query the event log.  You need to filter or you will return all records which can take a huge amount of time on a large system.

    Use the filter:

    Get-WinEvent -FilterHash @{LogName='ForwardedEvents';ID=256}  | fl


    \_(ツ)_/

    • Marked as answer by jrv Monday, February 19, 2018 6:53 PM
    Monday, February 12, 2018 11:37 PM
  • Thank you comment jrv!

    I am limiting the time of the events to 1 hour and searching for a specific event 6009

    $date = (Get-Date).AddHours(-1)
    $eventID = "6009"
    where {$_.id-eq $eventID -and $_.timecreated-gt $date}

    I was able to remove the table header with ft -HideTableHeaders, but my results are displayed in the column (i usually end up with 2 or 3 names)

    I need to find a way to display the results as a string, but i guess this is another issue.

    Thank you

    Tuesday, February 13, 2018 1:03 AM
  • You need to do two things.   Read the full help for the CmdLet carefully.  Take some time to learn PowerShell. 

    \_(ツ)_/

    Tuesday, February 13, 2018 1:06 AM
  • There is one thing you fail to understand.  Filtering an event log with a Where clause will cause you to return ALL event records which will be very slow.  Using the "Filter" supplied with the CmdLet causes the event log service to use indexes to return only records that match the index.  This can be more than 100 times faster.

    Reading the FULL CmdLet help would help you to learn and understand how this works.  Taking the tutorial or studying a book on PowerShell would help you with all of your issues.  Guessing will not get you good results. 


    \_(ツ)_/

    Monday, February 19, 2018 6:59 PM
  • JRV

    You missed the key word "ForwardedEvents". The events being pulled by the server are already filtered and the event log is getting filled with ONLY events I care about. While your suggestion makes sense in other event logs, filtering filtered is like watering water. I will take it in to consideration while studying powershell.

    Thanks again

    Monday, February 19, 2018 7:14 PM
  • And what does that have to do with this question and why, if the events are filtered, is the answer using a where clause to filter the events?

    The log specified is a forwarded log that can contain millions of different event IDs and events from multiple logs.  There is no specification for it.

    Using "Where" is not a good way to filter event logs and would be misleading to anyone just learning.  It is just silly to not use the index based filtering built into the event log.  Why else would Microsoft have gone to so much trouble.

    When you have enough experience querying event logs you will start to understand why the CmdLet is designed the way it is and why the event logs were totally redesigned for Vista and later.

    You can learn many things in many faulty ways.  It takes experience and study to learn things correctly.  Correct knowledge saves time and mistakes.  To be a technician requires that you learn things correctly and not just some way that works some of the time.


    \_(ツ)_/

    Monday, February 19, 2018 7:29 PM

  • The log specified is a forwarded log that can contain millions of different event IDs and events from multiple logs.  There is no specification for it.


    \_(ツ)_/

    You should take the time to learn how to filter the events and set the specifications for it.

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/


    • Edited by net_tech Monday, February 19, 2018 7:39 PM
    Monday, February 19, 2018 7:39 PM
  • Then why are you filtering it in your query?  Forwarded events can be any events you want to forward.

    You are arguing about something that makes little sense.

    OK.  I give up. You are one hundred percent right.  We should all not use "Filter" and always use "Where",  The earth is flat and the tooth fairy is real.

    I guess I have been doing everything wrong for the 40+ years. Perhaps computers do have little bugs running on treadmills inside.

    You win.   Good luck with your IT work.


    \_(ツ)_/

    Monday, February 19, 2018 7:51 PM

  • Perhaps computers do have little bugs running on treadmills inside.



    \_(ツ)_/

    Do they not?
    Monday, February 19, 2018 7:52 PM
  • In 1983 I received an HP 13037A mincompter disk subsystem controller from the Dominican Republic Telco.   The thing was as big as a large briefcase.  The customer complained that it wouldn't even turn on after one day when it made a racket.  When I looked at it it was quite dirty so I pulled off the cover to vacuum it out and begin the repairs.  There with his tail stuck in the fan was a 6 inch iguana. I guess he was hunting for bugs and got stuck.

    \_(ツ)_/



    • Edited by jrv Monday, February 19, 2018 8:50 PM
    Monday, February 19, 2018 8:49 PM
  • Must have been our grandpop. It was his favorite story to tell to us kids, about an HP 13037A mincompter disk sent from our home land in Dominican to NY. 

    This is the only thing we have left. (still hanging on the wall)


    • Edited by net_tech Monday, February 19, 2018 9:28 PM
    Monday, February 19, 2018 9:22 PM
  • No.  Not sent to NY.  No self respecting DR citizen would ever send anything to NY except themselves.  Dominicans make good Yankees!

    No.  This one was sent to another famous place.

    The interface drivers were also much tastier then those Signetics packages.  Best I can remember they were all ECL logic and very bus sensitive.

    Good little diagram. Very historic.  Belongs in a museum.

    And imagine that the 13037 was the foundation for the early PC disk controllers.  It had a bit-slice Fairchild chipset.  I learned how to microcode that little thing.  It was really a nice box and could be made to do tricks. I cried when HP moved to Winchester disks.  Boring!


    \_(ツ)_/

    Monday, February 19, 2018 9:47 PM