powershell Get-WinEvent cmdlt: Filtering by time-stamp not producing desired results?
Someone gave me the answer on another forum- FilterXML to the rescue.
The following gave me exactly what I wanted with added convenience of letting the GUI built the query for me:
$FilterXML = '<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4771 or EventID=4625 or EventID=4768) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>
</Query>
</QueryList>'
$LogonEvents = Get-WinEvent -FilterXml $FilterXML
$LogonEvents | sort -Property TimeCreated | Select-Object -First 1
Doing ($LogonEvents | sort -Property TimeCreated | Select-Object -First 1) I was able to confirm the oldest log was exactly 24 hours old.
Should have poked around in the docs more because I didn't event know about -filterxml. I think I'll be using that from now on.
Related videos on Youtube
12 : 14
10 : 55
16 : 45
12 : 08
01 : 55
Geoffrey McCosker
Updated on September 18, 2022Comments
-
Geoffrey McCosker almost 2 years
I am trying to filter events via Get-WinEvent to get specific logs from the last 24 hours:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768; StartTime=(Get-Date).AddHours(-24)} $LogonEvents = Get-WinEvent -FilterHashtable $EventLogFilterThe problem is that Get-WinEvent only returns 14 events, but there are thousands that meet this criteria.
Example:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768; StartTime=(Get-Date).AddHours(-24)} $LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter) $LogonEvents.count 14Now, if I remove the StartTime filter from Get-WinEvent and filter with where-object you can see how many of these events there actually are:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768} $LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter) ($LogonEvents | ?{$_.TimeCreated -ge (Get-Date).Addhours(-24)}).count 19497So it missed almost 20,000 event logs! What the heck is going on, am I doing something stupid, is Get-WinEvent broken? Is there a limit to the number of logs this cmldet can filter before it freaks out and produces unreliable results?
-
Mathias R. Jessen almost 11 yearsI'm not able to reproduce this. Does this strange behavior occur on all Event logs or only on "ForwardedEvents"? What happens if you try it on the local security log for example? -
Geoffrey McCosker almost 11 yearsDidn't test with other logs after finding the filterxml parameter worked. Don't know why that way worked while FilterHashtable didn't.
-
-
Mathias R. Jessen almost 11 yearsYou can have Windows sort them for you if you use
-Oldestparameter:$LogonEvents = Get-WinEvent -FilterXml $FilterXML -Oldest.