Event log - how get event IDs of most frequent incidents?

Welcome Forums General PowerShell Q&A Event log - how get event IDs of most frequent incidents?

This topic contains 4 replies, has 3 voices, and was last updated by

 
Participant
1 month, 4 weeks ago.

  • Author
    Posts
  • #167377

    Participant
    Topics: 1
    Replies: 2
    Points: 21
    Rank: Member

    Hi all!

    I have made a script that reads the Windows event log for system/application and does some simple statistics for last 7 days.
    Number of errors for the period, as well as number of warnings etc.
    Works great!

    —> QUESTION: <— How to write PowerShell code that shows which *Event IDs* are the most *common*? Like a top ten list of warnings/errors or something like that. Desired output would be something like this: 2019-07-22 ; 2019-07-15 ; EventID; 55 ;Frequency; 102 2019-07-22 ; 2019-07-15 ; EventID; 123 ;Frequency; 56 2019-07-22 ; 2019-07-15 ; EventID; 32 ;Frequency; 34 Start-date     ; end-date    ; EventID; XX   ; Frequency ; YY (*) Frequence just means number of hits/occurences for that specific event-id. The top 5 or so would do just fine. But I need to measure out exactly which event id is the most common/hast the most hits/highest frequency/most occurences What I have done so far is a foreach that counts up the event-id with increments of 1 at a time – but that is not very elegant and is way to slow (considering that theoretically the range would be 1-65535) Any ideas? Have a nice day!

  • #167389

    Senior Moderator
    Topics: 8
    Replies: 1041
    Points: 3,439
    Helping Hand
    Rank: Community Hero

    Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.
    Share the code when you get stuck/error here... people will help.

  • #167392

    Participant
    Topics: 0
    Replies: 44
    Points: 235
    Helping Hand
    Rank: Participant

    @fredrikhedlund38   As per your details, you can use below code for the example:

    Code:

    $after=$(get-date).AddDays(-7)
    $before=$(get-date)
    group_indexs=Get-Eventlog -LogName System -After $after -Before $before | Where {$_.EntryType -match 'Warning|Error'} | Group-Object Index
    foreach($group_index in $group_indexs){ 
    write-host "Start-date:"$($after.tostring("yyy-MM-dd"))" End-date:"$($before.tostring("yyy-MM-dd"))" Frequency:$($($group_index).count) EventID:$($($group_index).Name)" 
    }
  • #167395

    Participant
    Topics: 1
    Replies: 2
    Points: 21
    Rank: Member

    Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.

    Share the code when you get stuck/error here... people will help.

    Thanks!
    This solved my problem – I think!

    This is what I came up with:

    ### PowerShell version 2.0 (1.0?)
    
    # Read from disk once
    
    $systemerror = get-eventlog -LogName SYSTEM -EntryType Error -After (get-date).adddays(-8) -before (get-date).adddays(-1)
    
    # count,name (name = event id)
    $systemerror | Group-Object -Property InstanceID
    
    ### PowerShell version 3.0, 4.0, 5.1
    
    # Read from disk once
    
    $systemerror = Get-WinEvent -filterhashtable @{
    LogName='SYSTEM';
    Level='2';
    StartTime=(get-date).adddays(-8);
    EndTime=(get-date).adddays(-1);
    }
    
    # count,name (name = event id)
    $systemerror | Group-Object -Property ID | Select-Object Count,Name
    
  • #167404

    Participant
    Topics: 1
    Replies: 2
    Points: 21
    Rank: Member

    Thanks! Ill check it out!

    Just for curiosity, where is that $hasharray used? I cant see where?

You must be logged in to reply to this topic.