Get-EventLog with multiple exclusions

This topic contains 4 replies, has 2 voices, and was last updated by  iain Barnetson 2 weeks, 3 days ago.

  • Author
    Posts
  • #101816

    iain Barnetson
    Participant

    I'm trying to exclude certain events, some with specific messages. When I exclude Event IDs, it works as expected. When I exclude Event ID with specific Message, it works as expected. But, If I try to exclude a Event IDs and also a Specific Event ID with a Specific Message, it still returns the Event ID & Message I'm trying to exclude....

    This Works as expected....

    $GetData = {
    [PSCustomObject]@{
    EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
    ? { $_.eventID -ne 1300 -and $_.Message -notcontains "*SQLsafe Backup Service version*" } | Select TimeGenerated,Category,EventID,EntryType,Message)}
    }
    
    Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue
    

    THis works as expected....

    $GetData = {
    [PSCustomObject]@{
    EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
    ? { { $_.eventID -NotMatch '9245|1008' } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
    }
    
    Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue
    

    But this doesn't....it still returns the 1300 events with the SqlSafe message.

    $GetData = {
    [PSCustomObject]@{
    EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
    ? { { $_.eventID -NotMatch '9245|1008' } -Or { $_.eventID -Ne 1300 -And $_.Message -notcontains "*SQLsafe Backup Service version*" } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
    }
    
    Invoke-Command -ComputerName ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue
    

    What am I doing wrong ?

    *I'm using the PSCustomObject as I've a few other commands being run on the servers are the same time.

  • #101818

    Jon
    Participant

    It looks fine to me, I do not have the specific message you have but I ran this and it filtered out what I expected it to

    get-eventlog -LogName Application | where {{$_.EventID -ne 1704} -or {$_.EventID -ne 1312 -and $_.message -notcontains "*software protection*"}}
    • #101819

      iain Barnetson
      Participant
      PS C:\Windows\system32> 
      $GetData = {
      [PSCustomObject]@{
      EventLog =  $(Get-EventLog -Log "Application" -After (Get-Date).AddDays(-1) -EntryType Error,Warning | `
      ? { { $_.eventID -NotMatch '9245|1008' } -Or { $_.eventID -Ne 1300 -And $_.Message -notcontains "*SQLsafe Backup Service version*" } } | Select TimeGenerated,Category,EventID,EntryType,Message)}
      }
      
      Invoke-Command -ComputerName $ServerName -ScriptBlock $GetData -ErrorAction SilentlyContinue
      
      
      EventLog                                                                                                                                                                                                          
      --------                                                                                                                                                                                                          
      {@{TimeGenerated=6/5/2018 9:45:18 AM; Category=Operational; EventID=1300; EntryType=Error; Message=SQLsafe Backup Service version 8.4.2.2: ...                                                                    
      
      
    • #101836

      Jon
      Participant

      Hmmm this does seem odd, the initial validation I did was false positive I think...more digging and the only way I could get it to work was by doing this

      get-eventlog -LogName System | where {$_.EventID -notmatch '36871|6013' -or $_.EventID -eq 7036 -and $_.message -notlike "*running state*"}

      Which is going off the assumption that
      1) I want no event's with the eventid's of 36871 and 6013, or in your case 9245 and 1008
      2) You want event ID's of 1300 but not the ones that contain the message of "sql safe...."

      Is that right?

    • #101848

      iain Barnetson
      Participant

      yes it is.

You must be logged in to reply to this topic.