Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, February 12, 2018 4:27 PM
Hi
I need to pull out a computer name field value from the following command Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301} | fl
I am only seeing TimeCreated, ProviderName, Id, Message fields, ComputerName field is not there.
Is there anything I can do to get the value for ComputerName ?
Thanks
Edit:
So the computer name is actually MachineName field. I am able to retrieve it with the following command
Get-WinEvent -LogName ForwardedEvents | select * | where {$_.ID -eq 256} | fl
If i try Get-WinEvent -LogName ForwardedEvents | select MachineName | where {$_.ID -eq 256}
I end up with an empty output.
All replies (18)
Monday, February 12, 2018 5:11 PM ✅Answered | 2 votes
Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301} | Select-Object -Property MachineName
You would have gotten if you have tried Format-List * (fl *)
Get-WinEvent -LogName ForwardedEvents | where {$_.ID -eq 301} | fl *
Regards kvprasoon
Monday, February 12, 2018 11:37 PM ✅Answered | 1 vote
This is an inefficient way to query the event log. You need to filter or you will return all records which can take a huge amount of time on a large system.
Use the filter:
Get-WinEvent -FilterHash @{LogName='ForwardedEvents';ID=256} | fl
\(ツ)_/
Monday, February 12, 2018 5:36 PM
Thank you!
Monday, February 12, 2018 5:58 PM
Can Select-Object -Property MachineName be moved in to where ?
where {$_.ID -eq 301 and $ ???????????}
Thanks
Monday, February 12, 2018 6:05 PM
you can access it in where
where {$_.ID -eq 301 and $.machinename -eq 'server'}
I'm sure you are missing the basics.
Have it from below link, this will surely help you.
https://mva.microsoft.com/en-us/training-courses/getting-started-with-powershell-3-0-jump-start-8276
Regards kvprasoon
Monday, February 12, 2018 6:11 PM
$Computer = Get-WinEvent -LogName $logname | where {$_.ID -eq $eventID} | Select-Object -Property MachineName
I am setting $Computer variable to the computer name from the field recorded in the event.
as a result i end up with the field name@value.
I only need to get the value and not the field name
Thanks
Monday, February 12, 2018 6:47 PM
Select-Object -ExpandProperty MachineName
I would recommend you to follow the link I've shared. These are very basic PowerShell.
You should at least do
Get-Help Select-Object -Full
Regards kvprasoon
Tuesday, February 13, 2018 1:03 AM
Thank you comment jrv!
I am limiting the time of the events to 1 hour and searching for a specific event 6009
$date = (Get-Date).AddHours(-1)
$eventID = "6009"
where {$_.id-eq $eventID -and $_.timecreated-gt $date}
I was able to remove the table header with ft -HideTableHeaders, but my results are displayed in the column (i usually end up with 2 or 3 names)
I need to find a way to display the results as a string, but i guess this is another issue.
Thank you
Tuesday, February 13, 2018 1:06 AM
You need to do two things. Read the full help for the CmdLet carefully. Take some time to learn PowerShell.
\(ツ)_/
Monday, February 19, 2018 6:59 PM
There is one thing you fail to understand. Filtering an event log with a Where clause will cause you to return ALL event records which will be very slow. Using the "Filter" supplied with the CmdLet causes the event log service to use indexes to return only records that match the index. This can be more than 100 times faster.
Reading the FULL CmdLet help would help you to learn and understand how this works. Taking the tutorial or studying a book on PowerShell would help you with all of your issues. Guessing will not get you good results.
\(ツ)_/
Monday, February 19, 2018 7:14 PM
JRV
You missed the key word "ForwardedEvents". The events being pulled by the server are already filtered and the event log is getting filled with ONLY events I care about. While your suggestion makes sense in other event logs, filtering filtered is like watering water. I will take it in to consideration while studying powershell.
Thanks again
Monday, February 19, 2018 7:29 PM
And what does that have to do with this question and why, if the events are filtered, is the answer using a where clause to filter the events?
The log specified is a forwarded log that can contain millions of different event IDs and events from multiple logs. There is no specification for it.
Using "Where" is not a good way to filter event logs and would be misleading to anyone just learning. It is just silly to not use the index based filtering built into the event log. Why else would Microsoft have gone to so much trouble.
When you have enough experience querying event logs you will start to understand why the CmdLet is designed the way it is and why the event logs were totally redesigned for Vista and later.
You can learn many things in many faulty ways. It takes experience and study to learn things correctly. Correct knowledge saves time and mistakes. To be a technician requires that you learn things correctly and not just some way that works some of the time.
\(ツ)_/
Monday, February 19, 2018 7:39 PM
The log specified is a forwarded log that can contain millions of different event IDs and events from multiple logs. There is no specification for it.
\(ツ)_/
You should take the time to learn how to filter the events and set the specifications for it.
Monday, February 19, 2018 7:51 PM
Then why are you filtering it in your query? Forwarded events can be any events you want to forward.
You are arguing about something that makes little sense.
OK. I give up. You are one hundred percent right. We should all not use "Filter" and always use "Where", The earth is flat and the tooth fairy is real.
I guess I have been doing everything wrong for the 40+ years. Perhaps computers do have little bugs running on treadmills inside.
You win. Good luck with your IT work.
\(ツ)_/
Monday, February 19, 2018 7:52 PM
Perhaps computers do have little bugs running on treadmills inside.
\(ツ)_/
Do they not?
Monday, February 19, 2018 8:49 PM
In 1983 I received an HP 13037A mincompter disk subsystem controller from the Dominican Republic Telco. The thing was as big as a large briefcase. The customer complained that it wouldn't even turn on after one day when it made a racket. When I looked at it it was quite dirty so I pulled off the cover to vacuum it out and begin the repairs. There with his tail stuck in the fan was a 6 inch iguana. I guess he was hunting for bugs and got stuck.
\(ツ)_/
Monday, February 19, 2018 9:22 PM
Must have been our grandpop. It was his favorite story to tell to us kids, about an HP 13037A mincompter disk sent from our home land in Dominican to NY.
This is the only thing we have left. (still hanging on the wall)
Monday, February 19, 2018 9:47 PM
No. Not sent to NY. No self respecting DR citizen would ever send anything to NY except themselves. Dominicans make good Yankees!
No. This one was sent to another famous place.
The interface drivers were also much tastier then those Signetics packages. Best I can remember they were all ECL logic and very bus sensitive.
Good little diagram. Very historic. Belongs in a museum.
And imagine that the 13037 was the foundation for the early PC disk controllers. It had a bit-slice Fairchild chipset. I learned how to microcode that little thing. It was really a nice box and could be made to do tricks. I cried when HP moved to Winchester disks. Boring!
\(ツ)_/