Advice archive log parsing : Get-Winevent -path

[BashToPowershell Participant Topics: 20 Replies: 30 Points: 73Rank: Member]

Hi,

I am stuck on where I have gone wrong in regards to running get-winevent -path across a lot of archived event logs.  I have run the below from within the directory containing the archived event logs that are all in the .evtx format

[email protected]()

Get-ChildItem | Select-Object -ExpandProperty fullname | foreach {[pscustomObject]$obj += “‘$_'”}

$Logarray = $obj -join(‘,’)

This gives me an object in with the form: <shortened version>

‘C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-AgentDriver%4Operational.evtx’,’C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-App Agent%4
Operational.evtx’,’C:\temp\PowershellLogs\Microsoft-User Experience Virtualization-IPC%4Operational.evtx’

I get the below error when running the command in the console

Get-WinEvent -Path $Logarray
Get-WinEvent : Cannot find drive. A drive with the name ”C’ does not exist.
At line:1 char:1

If I copy and paste a quantity of the items in the object into the -path variable it seems to work, but not from using the $Logarray object.  The Help file indicates it can accept a comma separated list of file paths – perhaps I have gone about this thw wrong way?

 

[Sam Boutros Participant Topics: 12 Replies: 547 Points: 1,345Rank: Community Hero]

In your code

PowerShell

$Logarray = $obj -join(',')

1	$Logarray = $obj -join(',')

is not an array. It is a single string
You can simply use

PowerShell

$Logarray = Get-ChildItem | Select-Object -ExpandProperty fullname

1	$Logarray = Get-ChildItem | Select-Object -ExpandProperty fullname

Powershell auto-selects the variable type for you. You rarely have a reason to explicitly define the variable type.
To see the variable type, you can use the gettype() method as in:

PowerShell

$Logarray.GetType() IsPublic IsSerial Name BaseType -------- -------- ---- -------- True True Object[] System.Array

1 2 3 4 5

$Logarray.GetType()   IsPublic IsSerial Name                                     BaseType                                                                               -------- -------- ----                                     --------                                                                               True     True     Object[]                                 System.Array

[BashToPowershell Participant Topics: 20 Replies: 30 Points: 73Rank: Member]

Thanks – appreciate your prompt response, I’ve got things working and was over thinking it again!

[Author]

Posts