Event log - how get event IDs of most frequent incidents?

Hi all!

I have made a script that reads the Windows event log for system/application and does some simple statistics for last 7 days.
Number of errors for the period, as well as number of warnings etc.
Works great!

—> QUESTION: <—
How to write PowerShell code that shows which Event IDs are the most common? Like a top ten list of warnings/errors or something like that.

Desired output would be something like this:

2019-07-22 ; 2019-07-15 ; EventID; 55 ;Frequency; 102
2019-07-22 ; 2019-07-15 ; EventID; 123 ;Frequency; 56
2019-07-22 ; 2019-07-15 ; EventID; 32 ;Frequency; 34

Start-date ; end-date ; EventID; XX ; Frequency ; YY

(*) Frequence just means number of hits/occurences for that specific event-id. The top 5 or so would do just fine. But I need to measure out exactly which event id is the most common/hast the most hits/highest frequency/most occurences

What I have done so far is a foreach that counts up the event-id with increments of 1 at a time - but that is not very elegant and is way to slow (considering that theoretically the range would be 1-65535)

Any ideas?

Have a nice day!

Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.
Share the code when you get stuck/error here… people will help.

@fredrikhedlund38 As per your details, you can use below code for the example:

Code:

$after=$(get-date).AddDays(-7)
$before=$(get-date)
group_indexs=Get-Eventlog -LogName System -After $after -Before $before | Where {$_.EntryType -match 'Warning|Error'} | Group-Object Index
foreach($group_index in $group_indexs){ 
write-host "Start-date:"$($after.tostring("yyy-MM-dd"))" End-date:"$($before.tostring("yyy-MM-dd"))" Frequency:$($($group_index).count) EventID:$($($group_index).Name)" 
}

[quote quote=167389]Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.

Share the code when you get stuck/error here… people will help.

[/quote]

Thanks!
This solved my problem - I think!

This is what I came up with:

### PowerShell version 2.0 (1.0?)

# Read from disk once

$systemerror = get-eventlog -LogName SYSTEM -EntryType Error -After (get-date).adddays(-8) -before (get-date).adddays(-1)

# count,name (name = event id)
$systemerror | Group-Object -Property InstanceID

### PowerShell version 3.0, 4.0, 5.1

# Read from disk once

$systemerror = Get-WinEvent -filterhashtable @{
LogName='SYSTEM';
Level='2';
StartTime=(get-date).adddays(-8);
EndTime=(get-date).adddays(-1);
}

# count,name (name = event id)
$systemerror | Group-Object -Property ID | Select-Object Count,Name

Thanks! Ill check it out!

Just for curiosity, where is that $hasharray used? I cant see where?