1

I'm using this command to return a table of results:

Get-WinEvent -LogName 'System' -MaxEvents 40 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

Select-Object is specifically desired because it prevents the results being grouped by ProviderName. I want the results in a single table.

I want to filter results so that it's only returning the top 40 results where the ID is in a list... and I know I can use Where-Object to achieve this with ...Where-Object { $_.ID -match "41|1074|6006|6008" }..., but Where-Object returns the results grouped by ProviderName.

I'm pretty new to Powershell, I've done plenty of searching on the web and experimenting with piping the results of Select-Object, but can't get useful results.

How do I return the top X results matching a particular condition on a property such as ID, but also in a single table?

Improve this question

3 Answers 3

Reset to default
2

It's probably more efficient to prefilter by providing Get-WinEvent a filter directly rather than having it pull unfiltered events and then sifting for what you want.

The code below will return only what you want using such filter. Then you can use RetiredGeek's solution to produce a custom format-table view on the data :)

$xmlFilter = @'
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(EventID=41 or EventID=1074 or EventID=6006 or EventID=6008)]]</Select>
  </Query>
</QueryList>
'@

Get-WinEvent -MaxEvents 40 -FilterXML $xmlFilter |
    Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

An xml filter can be built directly from Windows Event Viewer using the filter gui and then clicking on the XML tab at the top. If you use it often you will eventually pick up on the syntax and be able to quickly write one yourself (or you can just keep using the filter option in Event Viewer =) )

P.S., there are -FilterXPath and -FilterHashtable options as well if you don't like the xml way (e.g. copy and pasting from Event Viewer like a crook... feels dirty)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Jlanger,

Here's one possible solution that you can adjust as necessary. Note: this does require expanding the width of the Console Window to get reasonable readout. I set mine to a width of 150.

Clear-Host
$fmtGWE = @{Expression = {$_.TimeCreated};Label="Time Created";
             Align="Right"},
          @{Expression = {$_.Id};Label="ID";
             ;Align="Right"},
          @{Expression = {$_.ProviderName};Label="Provider";
             Align="Left"},
          @{Expression = {$_.LevelDisplayName};Label="Level";
             Align="Left"},
          @{Expression = {$_.Message};Label="Message"}
Get-WinEvent -LogName 'System' -MaxEvents 40 | 
  Where-Object { $_.ID -match "7045|10016|30|50036" } |
  Format-Table -Property $fmtGWE -AutoSize -Wrap

Sample Output using different event codes as I'm not on a domain. enter image description here

If you can't save and/or the above as a script you can just keep it in a notepad file and copy & paste into your console.

You'll notice that even on my 27" screen you'll still have to scroll to read the entire message. You could also use Ctrl+Wheel to reduce text size.

Improve this answer

1 Comment

I wasn't able to get any output from this, after pressing Enter it would just go to the next line to enter a new command
1

Posting an answer with the final working version that I prefer, but leaving @Daniel's answer as the accepted answer since it works and was what led me to getting my final working version.

I found this question, which helped: Get-WinEvent -FilterHashTable with multiple IDs in a variable not working

I prefer this version as it's shorter and I think easier to read.

It also became apparent that returning fewer results was fine in my situation. It would be possible to filter by the date as well, but I don't have the time to put toward doing that.

Get-WinEvent -MaxEvents 10 -FilterHashtable @{logname='System'; ID = 41,1074,6006,6008} | 
Select-Object TimeCreated, ID, LevelDisplayName, Message | 
Format-Table -AutoSize

To reiterate for anyone looking at this answer, piping the results into Select-Object means that the results are in one table rather than being grouped by ProviderName.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.