Selecting unique objects along with other property

Dear Community

I need your help with my below query .

I am trying to retrive event log message for particular event id and i need to extract message which are unique which i am able to get with below code , i also wanted to get timecreated property along with unique message which i am unable to get, i have tried few options but nothing works . TIA

$eventlogs = Get-WinEvent –FilterHashtable @{logname='Application';id=1194;starttime=$time} 
     $Message = $eventlogs | select-object message -unique

Selecting with the TimeCreated property specified should give you what you need

Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique

Hi Jonathan

Thanks for the reply . But its not working :(. It looks like the timecreated property is applied for unique.

(Get-WinEvent –FilterHashtable @{logname=‘Application’;id=1003}|select-object TimeCreated,message -unique).count
4014
(Get-WinEvent –FilterHashtable @{logname=‘Application’;id=1003}|select-object message -unique).count
38

That is correct

-Unique
Specifies that if a subset of the input objects has identical properties and values, only a single member of the subset will be selected.

While the number will vary based on the system selecting without the -unique switch gives you the largest number.

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message).count
93
(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message).count
93

using -unique with just the message property will the unique messages and the smallest number of events

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique).count
5

adding any other property will expand the returns because all of the properties will be evaluated for the -unique switch.

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -Unique).count
86

If you are trying to limit the return to just the last event details(or what ever your requirements are) you will need to get the unique messages and then query based on your requirements. This example will get the last event for each message.

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated,Message -Last 1
}

Hi jonathan
I think this will work :), i am not near system to check will check later… Thank u for taking your valuable time to explain in detail … Much clear now … Our community rocks

Hi Jonathan

Its not working . are you getting same count for both ?

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated
}
$result.count 

Hi Suresh,

I think the below should give you what you want.

# Set filter hash specifying event log name and event id
$FilterHash = @{
    logname = 'Application'
    id      = 1003
}

# Get all events matching filter
$AllEvents = Get-WinEvent –FilterHashtable $FilterHash
$AllEvents.Count


# Get all unique messages (just for comparison)
$UniqueMessages = $AllEvents | Select-Object -Property Message -Unique
$UniqueMessages.Count


# Build result set while tracking if message has been seen before
$Result = @()
foreach ($Event in $AllEvents)
{
    if (-not ($Result.Message -contains $Event.Message))
    {
        $Result = $Result + $Event
    }
}
$Result.Count

# Get TimeCreated and message from result set
$Result | Select-Object -Property TimeCreated, Message

Suresh
Your code is missing the filter to only select the last event that is why the counts are different.
This

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
    Where-Object{$_.Message -eq $msg.Message}|
    Select-Object TimeCreated
}
$result.count 

should be

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$msgs.count
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
    Where-Object{$_.Message -eq $msg.Message}|
    Select-Object TimeCreated,Message -Last 1
}
$result.count 

Excellent … It worked. .once again thank you so much :) you have been really helpful . Cheers.

One small thing:

Always wrap your commands in @() when you expect multiple values, but might get 0 or 1.

Because this gives an error:

Set-StrictMode -Version "latest"
$Events = Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1
$Events.Count

# The property 'Count' cannot be found on this object. Verify that the property exists.

But this will work:

Set-StrictMode -Version "latest"
$Events = @(Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1)
$Events.Count

# 1

That might save you some serious headache if you some day in the future suddenly get a single event.

Thanks Christian and thanks paul Brathen for your help … Cheers