none
Eventlog problems with query RRS feed

  • Question

  • Hello all,

    I'm coming from this post:
    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/d31cf0e4-a760-40fe-9fbd-297141b81c04

    My problem is basically that when in windows 2008 r2 I reached more than 2^32 events in eventlog (4294967296) the WMI queries by Recordnumber are not working, such as:

    Select * from win32_ntlogevent where RecordNumber=xxxx

    When i get the max recordnumber I get a value lower than 4294967296, which means WMI gets the value truncated (WMI class stores the recordnumber in a UINT32, and as I can see in eventvwr, the recordnumber can be up to 2^64).

    In the query i use the truncated value, the same that wmi returns, so it should work. I realized that if I use quotes in the recordnumber, the query works, but is REALLY slow!

    Select * from win32_ntlogevent where RecordNumber='xxxx'

    Can this be a bug in wmi/eventlog? I'm coded a program that gets the events from eventlog in realtime, and I use the recordnumber to know which are the new events (I perform a query every minute or so).

    This is working fine till I got a server which recordnumber was higher than 4294967296. Right now those queries are not working for this server...

    I really want to use the recordnumber because it's a good way to now the last event read, and to not to read duplicates. I could use the TimeGenerated, but some events have the same value, so it could be a problem.

    Thanks!

    Friday, September 7, 2012 7:57 AM

Answers

  • Select * from win32_ntlogevent where CONVERT(varchar, RecordNumber, 10) = '4294967296'


    You can also seek help here.
    http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads


    Thanks

    Tuesday, September 11, 2012 12:33 PM

All replies

  • Select * from win32_ntlogevent where CONVERT(varchar, RecordNumber, 10) = '4294967296'


    You can also seek help here.
    http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads


    Thanks

    Tuesday, September 11, 2012 12:33 PM
  • This query is throwing an error,

    "Invalid query".

    I checked and the query "Select * from win32_ntlogevent where recordnumber='xxxxxx' " works, but is VERY VERY SLOW, so i'm stuck in the same point.

    Monday, September 17, 2012 9:34 AM