Get event logs for specific date

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Nick Chard Nick Chard 1 year, 10 months ago.

  • Author
    Posts
  • #21799
    Profile photo of Nick Chard
    Nick Chard
    Participant

    Hi,

    I'm trying to list all event logs for a specific date

    I've tried this, but it doesn't return any results

    Get-EventLog -LogName System | where { $_.timegenerated -like "10/01*" }

    I can get events before or after a date by using this:

    Get-EventLog -LogName System | where { $_.timegenerated -gt [get-date].AddDays[-7] }
    Get-EventLog -LogName System | where { $_.timegenerated -lt [get-date].AddDays[-7] }

    I guess it's something to do with TimeGenerated being a System.DateTime object type, so maybe it should look a bit like this:

    $date = New-Object -TypeName System.DateTime
    Get-EventLog -LogName System | where { $_.timegenerated -eq $date }

    I can't work out how to assign the current date to $date, can someone point me in the right direction?

    Thanks

  • #21800
    Profile photo of Will Anderson
    Will Anderson
    Keymaster

    Hey there Nick,

    Try this:

    Get-EventLog System | Where-Object TimeWritten -Like "12/12*"

    If you do a Get-EventLog System | Get-Member, it'll give you the properties of the objects you're retrieving. I also used Select-Object -First 1 to limit my selection to the first log entry so I didn't have to swim through everything:

    Get-EventLog System | Select-Object -First 1 | Get-Member

    You'll see that what you want to filter on is the TimeWritten property. Let me know if that helps!

  • #21801
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    Might be easier to use the -Before and -After parameters

    Get-EventLog -LogName System -After (Get-Date -Date '1/1/2015')
    Get-EventLog -LogName System -After (Get-Date -Date '1/1/2015') -Before (Get-Date -Date '10/1/2015')

  • #21802
    Profile photo of Will Anderson
    Will Anderson
    Keymaster

    Or that. 🙂

  • #21811
    Profile photo of Nick Chard
    Nick Chard
    Participant

    Hi, and thanks for your input. I found the problem, it's to do with date format.

    We use dd/mm/yy in the UK, and PowerShell displays dates in this format, so does Event Viewer. For some reason I have to use mm/dd/yy when I narrow down my results with where-object. I realised this when I searched using 12/12, as suggested by @Will Anderson, and it worked.

    PS D:\> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like "*2015*" } | select TimeWritten

    TimeWritten
    ———–
    13/01/2015 09:08:20

    PS D:\> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like "13/01/2015*" } | select TimeWritten
    No Results

    PS D:\> Get-EventLog -LogName System -newest 1 | where { $_.TimeWritten -like "01/13/2015*" } | select TimeWritten

    TimeWritten
    ———–
    13/01/2015 09:08:20

You must be logged in to reply to this topic.