none
Get-WinEvent script against a list of remote PC's RRS feed

  • Question

  • I'm trying to create a script that will run against a list of PC's, which displays the first and last instance of a specific event ID (in this case, 19). I have the following script working on the local PC:

    $FilterXML = '<QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[(EventID=19) and TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select>
      </Query>
    </QueryList>'
    $LogonEvents = Get-WinEvent -FilterXml $FilterXML
    $LogonEvents | sort -Property TimeCreated | Select-Object -First 1
    $LogonEvents | sort -Property TimeCreated | Select-Object -Last 1
    $LogonEvents_Count = Get-WinEvent -FilterXml $FilterXML | Measure-Object | select -ExpandProperty Count
    Write "Updates count is: $LogonEvents_Count"

    However, when I re-wrote it to support several machines, it's not returning anything at all. Any ideas?

    $FilterXML = '<QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[(EventID=19) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
      </Query>
    </QueryList>'
    $PC_List = "WKFD7SCCM82X86", "WKFD7SCCM8300", "WKFD7SCCMLAB2", "WKFD8VIEWBCH04"
    $LogonEvents = ForEach ($PC in $PC_List) 
    	{$PC; Get-WinEvent -FilterXml $FilterXML -ComputerName $PC
            $LogonEvents | sort -Property TimeCreated | Select-Object -First 1
            $LogonEvents | sort -Property TimeCreated | Select-Object -Last 1
    		$LogonEvents_Count = Get-WinEvent -FilterXml $FilterXML | Measure-Object | select -ExpandProperty Count
    		Write "Updates count is: $LogonEvents_Count"
    }

    Friday, July 11, 2014 6:43 PM

Answers

  • Got it figured out. However, you merely quoting my script back at me didn't exactly give me a hint...

    $FilterXML = '<QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[(EventID=19) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
      </Query>
    </QueryList>'
    $PC_List = "WKFD7SCCM82X86", "WKFD7SCCM8300", "WKFD7SCCMLAB2", "WKFD8VIEWBCH04"
    $PC = "WKFD7SCCM82X86"
    
    ForEach ($PC in $PC_List) 
    	{$PC; 
    	    $LogonEvents = Get-WinEvent -FilterXml $FilterXML -ComputerName $PC | where { $_.Message -notlike '*Definition Update for Microsoft Endpoint*' }
            $firstevent = $LogonEvents | sort -Property TimeCreated | Select-Object -First 1
            $lastevent = $LogonEvents | sort -Property TimeCreated | Select-Object -Last 1
    		$timeRequired = ($lastEvent.timeCreated - $firstEvent.timeCreated).TotalMinutes
    		#$LogonEvents_Count = Get-WinEvent -FilterXml $FilterXML | Measure-Object | select -ExpandProperty Count
    		$logonEvents_Count = ($logonEvents | measure-object).count
    		Write "Updates count is: $LogonEvents_Count"
    		Write "The time for all installs was $timeRequired"
    }
    I just need to format everything now and I'll be set.


    • Marked as answer by Steve Freeman Friday, July 11, 2014 7:31 PM
    Friday, July 11, 2014 7:31 PM

All replies

  • THis may give you a hint as to why you are failing.

    $FilterXML = '<QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[(EventID=19) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
      </Query>
    </QueryList>'
    
    $PC_List="WKFD7SCCM82X86", "WKFD7SCCM8300", "WKFD7SCCMLAB2", "WKFD8VIEWBCH04"
    $LogonEvents = Get-WinEvent -FilterXml $FilterXML -ComputerName $PC_List
    $LogonEvents | sort -Property TimeCreated | Select-Object -First 1
    $LogonEvents | sort -Property TimeCreated | Select-Object -Last 1
    $LogonEvents_Count = Get-WinEvent -FilterXml $FilterXML | Measure-Object | select -ExpandProperty Count
    Write "Updates count is: $LogonEvents_Count"

    Basically your whole approach doesn't make much sense.  What is it that you are actually trying to do?  If you want a summary of each PC start by creating a function that returns objects.  call the function in a loop.  Gather the aggregate output and format as needed.


    ¯\_(ツ)_/¯

    Friday, July 11, 2014 7:05 PM
  • Got it figured out. However, you merely quoting my script back at me didn't exactly give me a hint...

    $FilterXML = '<QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[(EventID=19) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
      </Query>
    </QueryList>'
    $PC_List = "WKFD7SCCM82X86", "WKFD7SCCM8300", "WKFD7SCCMLAB2", "WKFD8VIEWBCH04"
    $PC = "WKFD7SCCM82X86"
    
    ForEach ($PC in $PC_List) 
    	{$PC; 
    	    $LogonEvents = Get-WinEvent -FilterXml $FilterXML -ComputerName $PC | where { $_.Message -notlike '*Definition Update for Microsoft Endpoint*' }
            $firstevent = $LogonEvents | sort -Property TimeCreated | Select-Object -First 1
            $lastevent = $LogonEvents | sort -Property TimeCreated | Select-Object -Last 1
    		$timeRequired = ($lastEvent.timeCreated - $firstEvent.timeCreated).TotalMinutes
    		#$LogonEvents_Count = Get-WinEvent -FilterXml $FilterXML | Measure-Object | select -ExpandProperty Count
    		$logonEvents_Count = ($logonEvents | measure-object).count
    		Write "Updates count is: $LogonEvents_Count"
    		Write "The time for all installs was $timeRequired"
    }
    I just need to format everything now and I'll be set.


    • Marked as answer by Steve Freeman Friday, July 11, 2014 7:31 PM
    Friday, July 11, 2014 7:31 PM
  • I didn't just quote is back.  I made you look at it from a different perspective which hopefully caused you to see the inconsistency in your design.


    ¯\_(ツ)_/¯

    Friday, July 11, 2014 8:27 PM
  • There is a much easier way to do this but I will leave it to you to discover that.


    ¯\_(ツ)_/¯

    Friday, July 11, 2014 8:28 PM