PowerShell filter top ten event id

PowerShell Help
1

Hi

I need help building a PowerShell script which should do the following:

Get only the top ten most occurring system/application/security events, show the most occurring event in full text, search beginning one day before (-24h).

Getting event works:

Get-EventLog -LogName Application

I struggle to query and sort them though:

Where-Object XXX

Any help would be appreciated.

Thanks.

PS: The time is probably the easy part:

The Get-EventLog has the After/Before attribute, which allows me to define the time I reckon. Or Where-Object { $_.TimeCreated -ge $Yesterday } look usefull.

2

Yup,
Grüezi wohl and Welcome to the forum. :wave:t3:

You should not use Get-Eventlog anymore. Instead use …

To determine the most occurring events you can use …

To get the amount of events per event ID. And …

… to sort by the amount of events.

And then …

… to pick only the first or last 10 events depending on your sort order.

Please always read the help for the cmdlets you’re about to use completely including the examples to learn how to use them.

And BTW:
When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.

Thanks in advance

How to format code in PowerShell.org 1 <---- Click :point_up_2:t4: :wink:

( !! Sometimes the preformatted text button hides behind the settings gear symbol. :wink: )

3

Hoi :slight_smile:

Thanks for the reply. To be honest, I did already read the help for the cmdlets, but struggle to put them together correctly. Otherwise, I wouldn’t post in a forum.

Any help on the most occurring part?

Thanks!

4

As I already wrote … use the cmdlet Group-Object to group the output of Get-WinEvent by the event ID, sort this output with Sort-Object by the property count and select the last or first 10 items with Select-Object.

If you have a specific issue with a particular piece of code you should share this code here - formatted as code - and we are pretty likely able to help you further. :wink: :+1:t3: :love_you_gesture:t3:

5

Hi
This is as far I got.

param(
		[Parameter(Position=0, ValueFromPipeline=$True, Mandatory=$False)]
		[System.String]
		$Computer="$env:COMPUTERNAME"
	)
	
function Get-ClassicLogs {

$Computers=$Computer.Split(',')

		foreach ($Computer in $Computers)
		{
		$Logs= Get-WinEvent -ComputerName $Computer -ListLog Application, System, Security -ErrorAction SilentlyContinue | Select-Object -Property LogName # -ListLog * = This command gets all the event logs on the local computer


			foreach ($log in $Logs)
			{

			Write-Host " Results from "$log" on "$Computer""
			Get-WinEvent -ComputerName $Computer -FilterHashTable @{LogName=$log.LogName; Level=1,2} -ErrorAction SilentlyContinue | Group-Object Id,providername | 
			Sort-Object -Property Count -Descending | select-object Count,Name | Format-Table -AutoSize
			}
		}
}


Get-ClassicLogs

Already on the right path, but not yet perfect. I would like to insert a “due” day (skip today, minus 24h)

#$time= (Get-Date) - (New-TimeSpan -Day 1)
Where-Object { $_.TimeCreated -ge $time}

Also, the one Event with the highest count should be displayed completely.

Could work with

Select-Object -Property *

I struggle putting this altogether in the code above. Thanks for your help.

6

You should filter as far left as possible. So if possible use limitting parameters in your initial cmdlet instead of filtering later on with Where-Object. Of course that’s not always possible. :man_shrugging:t3:

You may start with something like this:

$StartTime = (Get-Date).Date.AddHours(-24)
$EndTime = (Get-Date).Date

$FilterHashtable = @{ 
    StartTime = $StartTime; 
    EndTime   = $EndTime;
    LogName   = 'Application', 'Security', 'System'
}
$Result =
Get-WinEvent -FilterHashtable $FilterHashtable | 
Group-Object -Property Logname, ID | 
Sort-Object -Property @{Expression = { ($_.Name -split ',')[0] } }, Count -Descending
$Result

Now you can use the variable $result to apply further filter criteria to display whatever you need.

Hmmm … since an eventlog entry has a lot of properties I’m not sure how you would like to display this. I’m afraid that does not fit into the same view like the highscore table. :man_shrugging:t3:
But since all information are still available in the variable $result you can get fancy with the way you show the results. :wink:

7

I will try to make it work. Thanks for your help.