1

I would like to search the eventlog with one simple query as opposed to going through the same ordeal twice. I simply want to search the eventlog for both application warnings and errors as well as the system log. I currently have it running but would like to have one query if possible.

$Date = (Get-Date).AddDays(-4)
$ApplicationEvents = Get-WinEvent -ComputerName $TestHostTemp -FilterHashtable @{logname='application'; StartTime=$Date; level=2,3}
$SystemEvents = Get-WinEvent -ComputerName $TestHostTemp -FilterHashtable @{logname='System'; StartTime=$Date; level=2,3}

I would prefer to do something like this but don't know the context to put it in.

$Date = (Get-Date).AddDays(-4)
$ApplicationEvents = Get-WinEvent -ComputerName $TestHostTemp -FilterHashtable @{logname='application','System'; StartTime=$Date; level=2,3}
Colyn1337
  • 1,655
  • 2
  • 18
  • 27
Listor
  • 93
  • 9
  • 2
    Your second sample works for me (tested with both PS 5 and PS 7.1). This is according to [the spec](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1#parameters), as the `logname` value can be an array of strings. What is the specific problem you have with this query? – zett42 Mar 31 '21 at 19:23
  • What context??? – js2010 Mar 31 '21 at 21:57

2 Answers2

4

As @zett42 pointed out the OP's desired query works fine. You can specify an array of strings for the log you want to query without an issue. I'm leaving my answer here in case somebody can learn from it for other purposes.

You can, but you'll want to use the -FilterXml parameter. What you can do is setup a custom view in the Event Viewer, and then click on the XML tab and copy things from there. Once you have the XML in PowerShell you can modify it as you see fit. Basically something like this:

$StartTime = [datetime]::Today.AddDays(-4).ToUniversalTime().Tostring('yyyy-MM-ddThh:mm:ss.000Z')
$Filter = @"
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=2 or Level=3) and TimeCreated[@SystemTime&gt;='$StartTime']]]</Select>
    <Select Path="System">*[System[(Level=2 or Level=3) and TimeCreated[@SystemTime&gt;='$StartTime']]]</Select>
  </Query>
</QueryList>
"@
$Events= Get-Winevent -FilterXml $Filter
TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56
  • 1
    Shouldn't be necessary, see my comment under the question. – zett42 Mar 31 '21 at 19:24
  • 1
    You are correct. I'll update my answer to reflect that, but leave this here for educational purposes. – TheMadTechnician Mar 31 '21 at 19:27
  • Thanks this is perfect and i cant believe it my second example works, i had been banging it so many different ways and all of a sudden it works when im typing up the example of how it does not work. Thank you so much for the help!!! :-) – Listor Mar 31 '21 at 20:25
1

Works for me. Do you want to group it by the logname instead the providername?

$Date = (Get-Date).AddDays(-4)
Get-WinEvent @{logname='application','System'; StartTime=$Date; level=2,3} | 
  format-table -GroupBy logname
js2010
  • 23,033
  • 6
  • 64
  • 66