Hashtable comparison operator, less than, greater than, etc?

techfringe · March 1, 2022, 8:50pm

I’m just starting to use hashtables for filtering events.

This example works great and lets me get specific events from the log. However the limitation for extracting events is set by maximum number of events to check, -MaxEvents. Not by, say, events two days ago or last week.

Get-WinEvent -FilterHashtable @{LogName="System";ID=301,302,304,308,101,103,108} -MaxEvents 50

The output from the above has a TimeCreated column but I’ve found no way to incorporate TimeCreated into the hashtable and do a relative test for on or after TimeCreated, on or before TimeCreated, etc. For example:

Get-WinEvent -FilterHashtable @{LogName="System";ID=301,302,304,308,101,103,108;TimeCreated>"2/28/2022"}

is not a valid expression.

This next works, but obviously is not using the hashtable to filter events by date:

 Get-WinEvent -FilterHashtable @{LogName="System";ID=301,302,304,308,101,103,108}  | Where-Object { $_.TimeCreated -ge "2/28/2022"}

Is there a way to do relative filtering with a hashtable? If there is, please explain, provide link, etc.

Thanks.

krzydoug · March 1, 2022, 9:08pm

Hi please read the entire help for any cmdlets you want to use. This will save time and frustration of trying to guess how they work.

If you look at the filterhashtable parameter specifically, you will see a starttime and endtime

Olaf · March 1, 2022, 9:09pm

You’re overthinking this. When you want to see the events from the day before yesterday you use this filterhashtable:

$FilterHashtable = @{
    LogName   = 'System'
    ID        = 301, 302, 304, 308, 101, 103, 108
    StartTime = (Get-Date).Date.AddDays(-2)
    EndTime   = (Get-Date).Date.AddDays(-1)
}

Get-WinEvent -FilterHashtable $FilterHashtable

… for yesterday it would be this:

$FilterHashtable = @{
    LogName   = 'System'
    ID        = 301, 302, 304, 308, 101, 103, 108
    StartTime = (Get-Date).Date.AddDays(-1)
    EndTime   = (Get-Date).Date
}

Get-WinEvent -FilterHashtable $FilterHashtable

Of course you can adjust the timespan to your particular needs.

techfringe · March 1, 2022, 10:23pm

I did see the StartTime and EndTime.

RTFM is one of my habits since forever.

However, seeing StartTime and EndTime doesn’t translate to doing a relative test against its value in the hashtable.

My last example even made use of StartTime but in a Where-Object.

techfringe · March 1, 2022, 10:27pm

Wow, thank you.

From your code it seems the StartTime and EndTime translate to the First Event and Last Event for a Custom Range… in the Event Viewer filter. I would not have expected that.

| Olaf
March 1 |

| - |

You’re overthinking this. When you want to see the events from the day before yesterday you use this filterhashtable:

$FilterHashtable = @{
    LogName   = 'System'
    ID        = 301, 302, 304, 308, 101, 103, 108
    StartTime = (Get-Date).Date.AddDays(-2)
    EndTime   = (Get-Date).Date.AddDays(-1)
}

Get-WinEvent -FilterHashtable $FilterHashtable

… for yesterday it would be this:

$FilterHashtable = @{
    LogName   = 'System'
    ID        = 301, 302, 304, 308, 101, 103, 108
    StartTime = (Get-Date).Date.AddDays(-1)
    EndTime   = (Get-Date).Date
}

Get-WinEvent -FilterHashtable $FilterHashtable

Of course you can adjust the timespan to your particular needs.

techfringe · March 1, 2022, 11:59pm

and, as I said, I did rtfm. Get-WinEvent in the powershell 7.2 reference documentation. It identifies both StartTime and EndTime as <DateTime>.

Get-ChildItem’s LastWriteTime is also a <DateTime>. Can’t filter with a hashtable though. Can -Filter with -eq, -lt, -gt, etc. And there are many other Get-… that return <DateTime> values which are all filterable with comparison expressions.

And even the StartTime and EndTime of Get-WinEvent are filterable with comparison expressions in a Where-Object.

How/where did you find out StartTime and EndTime work as limits in a hashtable? Can you point me to a Microsoft reference that describes what you’ve shown me? It obviously works but I’ve never found anything that describes it and would certainly like to read about it.

Thank you.

Olaf · March 2, 2022, 12:22am

Examples 16, 17, 18 and 19 use StartTime as filter.

And it does not need that much to figure out that EndTime works as well.

techfringe · March 2, 2022, 12:34am

I did see those. But I didn’t catch the implication of the statement at the beginning of #16 “…get events that occurred in the last 24-hours …”

What I keyed on was “… Filters are applied as the objects are retrieved. Where-Object retrieves all of the objects, then applies filters to all of the objects…” and thought of how filters I’ve used work wherever else I’ve used them.

I probably would have read it a hundred times without recognizing it was referring to retrieving a range. This will get used a lot.

Again, thank you. Really.

krzydoug · March 2, 2022, 1:47am

It’s a filter for Get-WinEvent, just happens to use a hash table.

Topic		Replies	Views
Event Log Filtering for Event ID and Date PowerShell Help	1	229	June 24, 2022
Trying to query archived event logs, not working but I do not see why PowerShell Help	1	156	June 8, 2018
Get-WinEvent in a remote session gives an error PowerShell Help	2	171	March 10, 2015
Trying to query archived event logs, not working but I do not see why PowerShell Help	1	189	June 11, 2018
Log search working in Windows 7 but not in Windows 10 PowerShell Help	3	136	July 30, 2019

Hashtable comparison operator, less than, greater than, etc?

Related Topics