Author Posts

May 12, 2014 at 9:32 am

Hello!

Been racking my brain on this for a while now. Here's the scenario:

I'm collecting event logs from multiple computers. I want only want to see the unique events, so what I was originally doing what using Sort-Object with the -Unique parameter. The problem that I've run into is that it uniques it across the board. Rather than unique it across the board, I want to unique it per server.

I suspect I'm overlooking the obvious somewhere here. Right now, all the events are being stored in one variable. I'm imagining that will have to change, but I'm not even sure where to begin at this point.

Would be much appreciated for some pointers/direction to help me get past this mental block I can't seem to figure out.

Thanks in advance!

May 12, 2014 at 9:37 am

What commands are you using so far?

May 12, 2014 at 9:42 am

It's not the prettiest (nor most efficient code), but this is what I've done so far:

That's when I realized I had the problem, as I generated a couple of test events on the two test machines, and it all uniqued down to one.

EDIT: Removed the code, linked to Gist instead.

May 12, 2014 at 9:51 am

That's odd. As long as you're including MachineName in your argument to the -Property parameter (which you are), that shouldn't happen. Here's some test code that I used to demonstrate this behavior (requiring at least Powershell 3.0 for the [pscustomobject] syntax):

$objects = @(
    [pscustomobject] @{ Message = '1'; MachineName = '1' }
    [pscustomobject] @{ Message = '2'; MachineName = '1' }
    [pscustomobject] @{ Message = '3'; MachineName = '1' }
    [pscustomobject] @{ Message = '4'; MachineName = '1' }
    [pscustomobject] @{ Message = '5'; MachineName = '1' }
    [pscustomobject] @{ Message = '1'; MachineName = '2' }
    [pscustomobject] @{ Message = '2'; MachineName = '2' }
    [pscustomobject] @{ Message = '3'; MachineName = '2' }
    [pscustomobject] @{ Message = '4'; MachineName = '2' }
    [pscustomobject] @{ Message = '5'; MachineName = '2' }
    [pscustomobject] @{ Message = '1'; MachineName = '1' }
    [pscustomobject] @{ Message = '2'; MachineName = '1' }
    [pscustomobject] @{ Message = '3'; MachineName = '1' }
    [pscustomobject] @{ Message = '4'; MachineName = '1' }
    [pscustomobject] @{ Message = '5'; MachineName = '1' }
    [pscustomobject] @{ Message = '1'; MachineName = '2' }
    [pscustomobject] @{ Message = '2'; MachineName = '2' }
    [pscustomobject] @{ Message = '3'; MachineName = '2' }
    [pscustomobject] @{ Message = '4'; MachineName = '2' }
    [pscustomobject] @{ Message = '5'; MachineName = '2' }
)

Write-Verbose -Verbose 'Sorted on both properties with -Unique'
$objects | Sort-Object -Property Message,MachineName -Unique | Out-Host

Write-Verbose -Verbose 'Sorted on just Message with -Unique'
$objects | Sort-Object -Property Message -Unique | Out-Host

Write-Verbose -Verbose 'Sorted on just MachineName with -Unique'
$objects | Sort-Object -Property MachineName -Unique | Out-Host

May 12, 2014 at 9:58 am

Okay, very odd. That does work like a charm. Okay, let me dive back into it a bit.. Thanks!

May 12, 2014 at 10:05 am

Ahhh.. Looks like it might have been my mistake.. I think it was the way I generated the test events on the one machine. Seems to be be working. Second set of eyes to look at it helped.

Many thanks, Dave!

Side note: For those wondering, I was trying to cheat when I was generating the event on the workstation from the server using Write-EventLog. Would have worked fine if I had used remoting rather then Write-EventLog -ComputerName . Oops.