Advice archive log parsing : Get-Winevent -path

Welcome Forums General PowerShell Q&A Advice archive log parsing : Get-Winevent -path

Viewing 2 reply threads
  • Author
    Posts
    • April 29, 2020 at 10:07 am #223656
      BashToPowershell
      Participant
      Topics: 20
      Replies: 30
      Points: 70
      Rank: Member

      Hi,

      I am stuck on where I have gone wrong in regards to running get-winevent -path across a lot of archived event logs.  I have run the below from within the directory containing the archived event logs that are all in the .evtx format

      $obj=@()

      Get-ChildItem | Select-Object -ExpandProperty fullname | foreach {[pscustomObject]$obj += “‘$_'”}

      $Logarray = $obj -join(‘,’)

      This gives me an object in with the form: <shortened version>

      ‘C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-AgentDriver%4Operational.evtx’,’C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-App Agent%4
      Operational.evtx’,’C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-IPC%4Operational.evtx’

      I get the below error when running the command in the console

      Get-WinEvent -Path $Logarray
      Get-WinEvent : Cannot find drive. A drive with the name ”C’ does not exist.
      At line:1 char:1

      If I copy and paste a quantity of the items in the object into the -path variable it seems to work, but not from using the $Logarray object.  The Help file indicates it can accept a comma separated list of file paths – perhaps I have gone about this thw wrong way?

       

    • April 29, 2020 at 10:20 am #223659
      Sam Boutros
      Participant
      Topics: 12
      Replies: 524
      Points: 1,220
      Helping Hand
      Rank: Community Hero

      In your code

      $Logarray = $obj -join(',')

      is not an array. It is a single string
      You can simply use

      $Logarray = Get-ChildItem | Select-Object -ExpandProperty fullname

      Powershell auto-selects the variable type for you. You rarely have a reason to explicitly define the variable type.
      To see the variable type, you can use the gettype() method as in:

      $Logarray.GetType()

IsPublic IsSerial Name                                     BaseType                                                                               
-------- -------- ----                                     --------                                                                               
True     True     Object[]                                 System.Array
    • April 29, 2020 at 10:53 am #223674
      BashToPowershell
      Participant
      Topics: 20
      Replies: 30
      Points: 70
      Rank: Member

      Thanks – appreciate your prompt response, I’ve got things working and was over thinking it again!

  • Author
    Posts
Viewing 2 reply threads
  • You must be logged in to reply to this topic.