Welcome Forums General PowerShell Q&A Event log – how get event IDs of most frequent incidents?

Viewing 4 reply threads
  • Author
    Posts
    • #167377
      Participant
      Topics: 1
      Replies: 2
      Points: 23
      Rank: Member

      Hi all!

      I have made a script that reads the Windows event log for system/application and does some simple statistics for last 7 days.
      Number of errors for the period, as well as number of warnings etc.
      Works great!

      —> QUESTION: <—
      How to write PowerShell code that shows which *Event IDs* are the most *common*? Like a top ten list of warnings/errors or something like that.

      Desired output would be something like this:

      2019-07-22 ; 2019-07-15 ; EventID; 55 ;Frequency; 102
      2019-07-22 ; 2019-07-15 ; EventID; 123 ;Frequency; 56
      2019-07-22 ; 2019-07-15 ; EventID; 32 ;Frequency; 34

      Start-date     ; end-date    ; EventID; XX   ; Frequency ; YY

      (*) Frequence just means number of hits/occurences for that specific event-id. The top 5 or so would do just fine. But I need to measure out exactly which event id is the most common/hast the most hits/highest frequency/most occurences

      What I have done so far is a foreach that counts up the event-id with increments of 1 at a time – but that is not very elegant and is way to slow (considering that theoretically the range would be 1-65535)

      Any ideas?

      Have a nice day!

    • #167389
      Senior Moderator
      Topics: 8
      Replies: 1160
      Points: 4,056
      Helping Hand
      Rank: Community Hero

      Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.
      Share the code when you get stuck/error here… people will help.

    • #167392
      Participant
      Topics: 0
      Replies: 45
      Points: 243
      Helping Hand
      Rank: Participant

      @fredrikhedlund38   As per your details, you can use below code for the example:

      Code:

      $after=$(get-date).AddDays(-7)
      $before=$(get-date)
      group_indexs=Get-Eventlog -LogName System -After $after -Before $before | Where {$_.EntryType -match 'Warning|Error'} | Group-Object Index
      foreach($group_index in $group_indexs){ 
      write-host "Start-date:"$($after.tostring("yyy-MM-dd"))" End-date:"$($before.tostring("yyy-MM-dd"))" Frequency:$($($group_index).count) EventID:$($($group_index).Name)" 
      }
    • #167395
      Participant
      Topics: 1
      Replies: 2
      Points: 23
      Rank: Member

      Cmdlets you would need are Get-WinEvent, Group-Object and a Foreach loop. Try to put some code after reading online help docs for these cmdlets.

      Share the code when you get stuck/error here… people will help.

      Thanks!
      This solved my problem – I think!

      This is what I came up with:

      ### PowerShell version 2.0 (1.0?)
      
      # Read from disk once
      
      $systemerror = get-eventlog -LogName SYSTEM -EntryType Error -After (get-date).adddays(-8) -before (get-date).adddays(-1)
      
      # count,name (name = event id)
      $systemerror | Group-Object -Property InstanceID
      
      ### PowerShell version 3.0, 4.0, 5.1
      
      # Read from disk once
      
      $systemerror = Get-WinEvent -filterhashtable @{
      LogName='SYSTEM';
      Level='2';
      StartTime=(get-date).adddays(-8);
      EndTime=(get-date).adddays(-1);
      }
      
      # count,name (name = event id)
      $systemerror | Group-Object -Property ID | Select-Object Count,Name
      
    • #167404
      Participant
      Topics: 1
      Replies: 2
      Points: 23
      Rank: Member

      Thanks! Ill check it out!

      Just for curiosity, where is that $hasharray used? I cant see where?

Viewing 4 reply threads
  • The topic ‘Event log – how get event IDs of most frequent incidents?’ is closed to new replies.