Get event logs for specific date

PowerShell Help
1

Hi,

I’m trying to list all event logs for a specific date

I’ve tried this, but it doesn’t return any results

Get-EventLog -LogName System | where { $_.timegenerated -like "10/01*" }

I can get events before or after a date by using this:

Get-EventLog -LogName System | where { $_.timegenerated -gt [get-date].AddDays[-7] }
Get-EventLog -LogName System | where { $_.timegenerated -lt [get-date].AddDays[-7] }

I guess it’s something to do with TimeGenerated being a System.DateTime object type, so maybe it should look a bit like this:

$date = New-Object -TypeName System.DateTime
Get-EventLog -LogName System | where { $_.timegenerated -eq $date }

I can’t work out how to assign the current date to $date, can someone point me in the right direction?

Thanks

2

Hey there Nick,

Try this:

Get-EventLog System | Where-Object TimeWritten -Like “12/12*”

If you do a Get-EventLog System | Get-Member, it’ll give you the properties of the objects you’re retrieving. I also used Select-Object -First 1 to limit my selection to the first log entry so I didn’t have to swim through everything:

Get-EventLog System | Select-Object -First 1 | Get-Member

You’ll see that what you want to filter on is the TimeWritten property. Let me know if that helps!

3

Might be easier to use the -Before and -After parameters

Get-EventLog -LogName System -After (Get-Date -Date ‘1/1/2015’)
Get-EventLog -LogName System -After (Get-Date -Date ‘1/1/2015’) -Before (Get-Date -Date ‘10/1/2015’)

4

Or that. :slight_smile:

5

Hi, and thanks for your input. I found the problem, it’s to do with date format.

We use dd/mm/yy in the UK, and PowerShell displays dates in this format, so does Event Viewer. For some reason I have to use mm/dd/yy when I narrow down my results with where-object. I realised this when I searched using 12/12, as suggested by @Will Anderson, and it worked.

PS D:> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like “2015” } | select TimeWritten

TimeWritten

13/01/2015 09:08:20

PS D:> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like “13/01/2015*” } | select TimeWritten
No Results

PS D:> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like “01/13/2015*” } | select TimeWritten

TimeWritten

13/01/2015 09:08:20