Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 30, 2018 5:55 PM
Is there a way to search all logs in the event viewer with a custom view, like in a specific time interval, without getting the error message "Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The array bounds are invalid (1734).
All replies (3)
Tuesday, October 30, 2018 7:12 PM
I wrote a Powershell script to output events from all logs within the last n hours to a gridview. You can add a filter and search for strings.
# Name: RecentEvents.ps1
# Desc: Script to read all event logs and put all events within a timeframe into TOD sequence.
# The intent is to see all events that occurred at a certain time when an error may have occurred.
# Life was simpler when we only had 3 eventlogs.
# Usage: RecentEvents.ps1 NumberOfHours Ie: RecentEvents.ps1 24
# Author: Dave (MotoX80)
param($tf = 1 ) # Time frame in hours.
$hdr = $tf
$tf = $tf * 3600000
$elna = (Get-WinEvent -ListLog * -EA silentlycontinue | where-object { $_.recordcount -gt 1}) # get all event log names that have records in them.
$AllEvents = @() # prepare array so we can append to it
foreach ($el in $elna) # look at each event log
{
$xml = "<QueryList><Query Id=""0"" Path=""$($el.logname)"">
<Select Path=""$($el.logname)"">*[System[TimeCreated[timediff(@SystemTime) <= $tf ]]]</Select>
</Query></QueryList>"
$AllEvents += Get-WinEvent -FilterXml $XML -ErrorAction SilentlyContinue # append the events (if any)
}
$AllEvents | sort-object -Descending -Property TimeCreated |
Select-Object -property TimeCreated, ID, Logname, LevelDisplayName, Message |
Out-GridView -Title "Recent Events ($hdr hours)" -OutputMode Multiple
Tuesday, October 30, 2018 7:33 PM
Thanks. I've been doing it this way. Strangely, logname in the filterhashtable can take wildcards, but not "*" by itself.
Get-WinEvent -ListLog * -ea 0 |
foreach { get-winevent -filterhashtable @{logname=$_.logname;
starttime='1:55 pm'; endtime='1:58 pm'} -ea 0 } |
Format-Table TimeCreated, ID, ProviderName, Message -AutoSize -Wrap | more
Wednesday, October 31, 2018 9:38 AM
Hello JS2010,
PowerShell is a good way to implement this. And if you have problems with the code, you can go to the powerShell forum for more help.
PowerShell forum: https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].