Get-WinEvent and filtering for the message

by surveyor at 2013-05-10 10:03:06

Hi,
with this little script (it works) I try to filter scheduled tasks (beginning and end) from the eventlog. Is it possible to filter for messages in the XML-Filter instead of using Where-Object? I have searched a lot, but there are only a few examples and the official documentation is too confusing for me.

Clear-Host

$XMLQuery = @"
<QueryList>
<Query Id=“0” Path=“Microsoft-Windows-TaskScheduler/Operational”>
<Select Path=“Microsoft-Windows-TaskScheduler/Operational”>*[System[(Level=4 or Level=0) and (EventID=100 or EventID=102)]]</Select>
</Query>
</QueryList>
"@

$Abruf = {
# Wegen .NET-Bug auf englische Umgebung umschalten. Ansonsten werden keine Meldungstexte ausgegeben.
$orgCulture = Get-Culture
[System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object “System.Globalization.CultureInfo” “en-US”

Get-WinEvent -FilterXml $XMLQuery |
Where-Object { $_.Message -notmatch “\Microsoft\” } # |
# Select-Object -First 5

# Wegen .NET-Bug. Siehe oben.
[System.Threading.Thread]::CurrentThread.CurrentCulture = $orgCulture
}
$a = Get-Date
$Test = . $Abruf
$b = Get-Date
$Test.Count
$a
$b


PS: I’m not very happy with the new forum…