Author Posts

November 1, 2013 at 3:57 am

Hi,

I started a thread in the old forum but since then my account seems to have disappeared. I can see the old thread but it doesn't work...like my account.

Before you read on, I should mention I'm a PS noob.

I have been working a script that will contact a number of remote servers and check the application event log over the last 24 hours. I want any repeat alerts to simply count up rather than keep being displayed in the output.

The problem I'm having is I tried using "group-object -property eventid". This provides me with a count of repeat alerts but kills the formatting.

Here's my script and sample output with "group-object -property eventid" included. Without it the output is nice but doesn't give me a repeat count. Hopefully the web page doesn't mess it up.

Invoke-Command -ComputerName (Get-Content C:\test_servers.txt) -Command {Get-EventLog -LogName application -EntryType Error, warning, information -After $(Get-Date).AddHours(-24)| Select-Object machinename, entrytype, message, source, eventid | group-object -property eventid| format-list}| out-file c:\test_eventlog_group.txt

Sample output:
Name : 1704
Count : 2
Group : {@{MachineName=SERVER1; EntryType=Information; Message=Security policy in the Group policy objects has been applied successfully.;
Source=SceCli; EventID=1704}, @{MachineName=SERVER!; EntryType=Information; Message=Security policy in the Group policy objects has been applied
successfully.; Source=SceCli; EventID=1704}}
Values : {1704}

Is seems all the content is contained in the "group" field.

Any help appreciated.

November 1, 2013 at 4:19 am

What do you want the output file to look like, ideally? I'm not sure what you're trying to accomplish with the Group-Object cmdlet yet.

November 1, 2013 at 4:25 am

This example would be nice..

MachineName :
EntryType : Information
Message : Security policy in the Group policy objects has been applied successfully.
Source : SceCli
EventID : 1704
Count : The amount of time this alert has repeated.

Next server Same again.

I hoped by grouping the alerts by eventID I would be able to achieve the above.

November 1, 2013 at 5:24 am

OK, you're on the right track. I haven't tested this code, but something like this might work. I've separated the code out into multiple lines to make it more readable. The main change is that instead of outputting the GroupInfo objects to a file, I took the first actual event object and added a "Count" property to it, and that's what gets passed on to Format-List and Out-File.

On a side note, you might want to group by both EventID and Source (as that's what uniquely identifies a type of event), rather than just EventID. I've shown how to do that in the example below.

Edit: Moved the ForEach-Object loop back into the remote script block, to improve performance (reducing the amount of traffic sent over the network.)

$remoteScriptBlock = {
    Get-EventLog -LogName application -EntryType Error, warning, information -After (Get-Date).AddHours(-24) |
    Select-Object machinename, entrytype, message, source, eventid |
    Group-Object -Property EventID, Source |
    ForEach-Object {
        $groupInfo = $_
        Add-Member -InputObject $groupInfo.Group[0] -MemberType NoteProperty -Name Count -Value $groupInfo.Count -PassThru
    }
}

Invoke-Command -ComputerName (Get-Content C:\test_servers.txt) -Command $remoteScriptBlock |
Format-List |
Out-File c:\test_eventlog_group.txt


November 1, 2013 at 5:33 am

Thanks Dave, I really appreciate your help.

I'll try and give this a test this afternoon. No doubt I'll have more questions 🙂

December 5, 2013 at 4:00 am

Hi Dave,

I tested this script and it works perfectly. Once again thanks for your time and sharing your knowledge.

Regards,

John.