Author Posts

October 21, 2016 at 7:29 am

Hey Guys,

I'm having a problem. I first put the data i want into 2 variables $Started_Time & $Ended_Time as below:
(Sorry for how the text is formatted, i can't get it to be nicely readable)

$Before = Get-Date
$Started_Time = Get-EventLog -LogName Security -EntryType SuccessAudit -InstanceID 4688 -Before $Before -Message "*outlook.exe*" | Select -ExpandProperty TimeWritten
$Ended_Time = Get-EventLog -LogName Security -EntryType SuccessAudit -InstanceID 4689 -Before $Before -Message "*outlook.exe*" | Select -ExpandProperty TimeWritten

Each of then returns me the datas in columns, like that:

Thursday, October 20, 2016 4:58:35 PM
Thursday, October 20, 2016 3:15:17 PM
Wednesday, October 19, 2016 11:06:06 AM

Then, i run this:

New-Object PSObject -Property ([ordered]@{'Start Time'=$Started_Time;'End Time'=$Ended_Time})

And here is the output:

Start Time End Time
———- ——–
{10/20/2016 4:58:35 PM, 10/20/2016 3:15:17 PM, 10/19/2016 11:06:06 AM} {10/20/2016 4:49:43 PM, 10/20/2016 3:15:12 PM}

I can't figure how to get my data in column, like that:

Start Time End Time
———- ———-
Date1 Date1
Date2 Date2
Date3 Date3

Thanks for your help !

October 21, 2016 at 8:04 am

Anthony,

you create 2 independend lists of dates. I think you should first create something what matches the start time with the related end time.

October 21, 2016 at 8:58 am

Here is my code now:

$Start_Date = [Datetime]::Today.AddDays(-1).AddHours(1)
$End_Date = [Datetime]::Today.AddDays(-1).AddHours(23)


$Started_Time = Get-EventLog -LogName Security -EntryType SuccessAudit -InstanceID 4688 -Before $End_Date -After $Start_Date -Message "*outlook.exe*" | Select -ExpandProperty TimeWritten
$Ended_Time = Get-EventLog -LogName Security -EntryType SuccessAudit -InstanceID 4689 -Before $End_Date -After $Start_Date -Message "*outlook.exe*" | Select -ExpandProperty TimeWritten

New-Object -TypeName PSObject -Property ([ordered]@{'Start Time'=$Started_Time;'End Time'=$Ended_Time})

I don't necessary need to have the date1 in the Start Time column maching the date1 on the end time column.

I just need the date to be displayed in a column format...

My code gives me this:

Start Time                                     End Time                                      
----------                                     --------                                      
{10/20/2016 4:58:35 PM, 10/20/2016 3:15:17 PM} {10/20/2016 4:49:43 PM, 10/20/2016 3:15:12 PM}

October 21, 2016 at 10:30 am

#requires -Version 4.0
#I don't now, may be this works also on earlier PS versions

$Start_Date = [Datetime]::Today.AddDays(-1).AddHours(1)
$End_Date = [Datetime]::Today.AddDays(-1).AddHours(23)

#First, there is no need to call get-eventlog twice,
# and I use splatting to better readability of many parameters
$geteventlogparams = @{
	LogName = 'Security'
	EntryType = 'SuccessAudit'
	InstanceID = 4688,4689
	Before = $End_Date
	After = $Start_Date
	Message = "*outlook.exe*"
}
$events = Get-EventLog @geteventlogparams

#Second, to properly sort start and stop events you need to split it by process id,
# so start and stop events for the same grouped together
# this grouing may be version dependent
# there is some magic:
# for event 4688 we need replacementstring[4]
# and for event 4689 we need replacementstring[5]
$groupedByProcessID = $events | Group-Object {  $_.ReplacementStrings[$_.InstanceId - 4684] }

#And now you fill out your objects
#There you can export it somewhere
# or out to console as I'm do
foreach ($processID in $groupedByProcessID) {
	$Started_TimeEvent = $processID.Group | Where-Object { $_.InstanceId -eq 4688 }
	$Ended_TimeEvent = $processID.Group | Where-Object { $_.InstanceId -eq 4689 }
	#v3+, you can replace it to New-Object for compatibility
	[PSCustomObject]@{
		Started_Time = $Started_TimeEvent.TimeGenerated
		Ended_Time = $Ended_TimeEvent.TimeGenerated
	}
}
  • This reply was modified 1 year, 10 months ago by  Max Kozlov.
  • This reply was modified 1 year, 10 months ago by  Max Kozlov.
  • This reply was modified 1 year, 10 months ago by  Max Kozlov.
  • This reply was modified 1 year, 10 months ago by  Max Kozlov.

October 21, 2016 at 10:47 am

.

  • This reply was modified 1 year, 10 months ago by  Max Kozlov.

October 21, 2016 at 1:14 pm

God you are awesome ! You didn't just fixed the issue but you made my script better, thanks a ton!

Now i'm gonna work on running this on a list of computer. Ideally at the end, i would have one single CSV with one worksheet per computer, showing the started time & ended time of a defined process.

I'll post here if i'm stuck somwhere :).

October 21, 2016 at 3:07 pm

I've got another issue now... I can't export it to CSV and out-file doesn't give me a good output in a csv file...

Here is my script output:

Computer Name Application Started Time          Ended Time            Usage   
------------- ----------- ------------          ----------            -----   
GVA-GUEST-02  Bloomberg   10/21/2016 4:13:10 PM 10/21/2016 4:13:33 PM 00:00:23

And here is what i get when i pipe it to GM:

 TypeName: Microsoft.PowerShell.Commands.Internal.Format.FormatStartData

Name                                    MemberType Definition                                                                                                                                                                               
----                                    ---------- ----------                                                                                                                                                                               
Equals                                  Method     bool Equals(System.Object obj)                                                                                                                                                           
GetHashCode                             Method     int GetHashCode()                                                                                                                                                                        
GetType                                 Method     type GetType()                                                                                                                                                                           
ToString                                Method     string ToString()                                                                                                                                                                        
autosizeInfo                            Property   Microsoft.PowerShell.Commands.Internal.Format.AutosizeInfo, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 autosizeInfo {get;set;}      
ClassId2e4f51ef21dd47e99d3c952918aff9cd Property   string ClassId2e4f51ef21dd47e99d3c952918aff9cd {get;}                                                                                                                                    
groupingEntry                           Property   Microsoft.PowerShell.Commands.Internal.Format.GroupingEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 groupingEntry {get;set;}    
pageFooterEntry                         Property   Microsoft.PowerShell.Commands.Internal.Format.PageFooterEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 pageFooterEntry {get;set;}
pageHeaderEntry                         Property   Microsoft.PowerShell.Commands.Internal.Format.PageHeaderEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 pageHeaderEntry {get;set;}
shapeInfo                               Property   Microsoft.PowerShell.Commands.Internal.Format.ShapeInfo, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 shapeInfo {get;set;}            


   TypeName: Microsoft.PowerShell.Commands.Internal.Format.GroupStartData

Name                                    MemberType Definition                                                                                                                                                                           
----                                    ---------- ----------                                                                                                                                                                           
Equals                                  Method     bool Equals(System.Object obj)                                                                                                                                                       
GetHashCode                             Method     int GetHashCode()                                                                                                                                                                    
GetType                                 Method     type GetType()                                                                                                                                                                       
ToString                                Method     string ToString()                                                                                                                                                                    
ClassId2e4f51ef21dd47e99d3c952918aff9cd Property   string ClassId2e4f51ef21dd47e99d3c952918aff9cd {get;}                                                                                                                                
groupingEntry                           Property   Microsoft.PowerShell.Commands.Internal.Format.GroupingEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 groupingEntry {get;set;}
shapeInfo                               Property   Microsoft.PowerShell.Commands.Internal.Format.ShapeInfo, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 shapeInfo {get;set;}        


   TypeName: Microsoft.PowerShell.Commands.Internal.Format.FormatEntryData

Name                                    MemberType Definition                                                                                                                                                                               
----                                    ---------- ----------                                                                                                                                                                               
Equals                                  Method     bool Equals(System.Object obj)                                                                                                                                                           
GetHashCode                             Method     int GetHashCode()                                                                                                                                                                        
GetType                                 Method     type GetType()                                                                                                                                                                           
ToString                                Method     string ToString()                                                                                                                                                                        
ClassId2e4f51ef21dd47e99d3c952918aff9cd Property   string ClassId2e4f51ef21dd47e99d3c952918aff9cd {get;}                                                                                                                                    
formatEntryInfo                         Property   Microsoft.PowerShell.Commands.Internal.Format.FormatEntryInfo, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 formatEntryInfo {get;set;}
outOfBand                               Property   bool outOfBand {get;set;}                                                                                                                                                                
writeStream                             Property   Microsoft.PowerShell.Commands.Internal.Format.WriteStreamType, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 writeStream {get;set;}    


   TypeName: Microsoft.PowerShell.Commands.Internal.Format.GroupEndData

Name                                    MemberType Definition                                                                                                                                                                           
----                                    ---------- ----------                                                                                                                                                                           
Equals                                  Method     bool Equals(System.Object obj)                                                                                                                                                       
GetHashCode                             Method     int GetHashCode()                                                                                                                                                                    
GetType                                 Method     type GetType()                                                                                                                                                                       
ToString                                Method     string ToString()                                                                                                                                                                    
ClassId2e4f51ef21dd47e99d3c952918aff9cd Property   string ClassId2e4f51ef21dd47e99d3c952918aff9cd {get;}                                                                                                                                
groupingEntry                           Property   Microsoft.PowerShell.Commands.Internal.Format.GroupingEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 groupingEntry {get;set;}


   TypeName: Microsoft.PowerShell.Commands.Internal.Format.FormatEndData

Name                                    MemberType Definition                                                                                                                                                                           
----                                    ---------- ----------                                                                                                                                                                           
Equals                                  Method     bool Equals(System.Object obj)                                                                                                                                                       
GetHashCode                             Method     int GetHashCode()                                                                                                                                                                    
GetType                                 Method     type GetType()                                                                                                                                                                       
ToString                                Method     string ToString()                                                                                                                                                                    
ClassId2e4f51ef21dd47e99d3c952918aff9cd Property   string ClassId2e4f51ef21dd47e99d3c952918aff9cd {get;}                                                                                                                                
groupingEntry                           Property   Microsoft.PowerShell.Commands.Internal.Format.GroupingEntry, System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 groupingEntry {get;set;}

October 21, 2016 at 3:12 pm

I've got another issue now...
I can't use Export-Csv and Out-File won't give me a nice view either...

Here my code:

Function Get-BloombergUsage {
    
    $End_Date = Get-Date
    $EventParams = @{
		LogName = 'Security'
		EntryType = 'SuccessAudit'
		InstanceID = 4688,4689
		Before = $End_Date
		#After = $Start_Date
		Message = "*blpcbbap.exe*"
    }
    
    $Events = Get-EventLog @EventParams
	$GroupByProcessID = $Events | Group-Object {  $_.ReplacementStrings[$_.InstanceId - 4684] }

    Foreach ($processID in $GroupByProcessID) {
	    $Started_TimeEvent = $processID.Group | Where-Object { $_.InstanceId -eq 4688 }
	    $Ended_TimeEvent = $processID.Group | Where-Object { $_.InstanceId -eq 4689 }
        $AverageUsage = New-TimeSpan -End $Ended_TimeEvent.TimeGenerated -Start $Started_TimeEvent.TimeGenerated
        
        New-Object PsObject -Property ([ordered]@{
            'Computer Name'=Hostname;
            'Application'='Bloomberg';
            'Started Time'=$Started_TimeEvent.TimeGenerated;
            'Ended Time'=$Ended_TimeEvent.TimeGenerated;
            'Usage'=$AverageUsage
        }) | FT -AutoSize
    }
}

Get-BloombergUsage

Here is the output of my script:


Computer Name Application Started Time          Ended Time            Usage   
------------- ----------- ------------          ----------            -----   
GVA-GUEST-02  Bloomberg   10/21/2016 4:13:10 PM 10/21/2016 4:13:33 PM 00:00:23

I piped to to GM to see but i get this:

TypeName: Microsoft.PowerShell.Commands.Internal.Format.GroupStartData

October 21, 2016 at 3:56 pm

Powershell Gotcha. Check out the Ebooks link above for more details, but Format-Table (FT) kills the pipeline. Remove the following:

| FT -AutoSize

October 22, 2016 at 1:29 pm

Hey folks,

Yes i know FT won't work with CSV, that's why i tried using out-files...

Problem is, if I remove the FT -Autosize, it transforms my output in raws unless i remove one column.

For example, my output gave me first 3 columns (Computer name, Started time, ended time).
I then added as the 4th column, the New-TimeSpan to calculate the time difference between the ended time and started time, and the output got changed from columns to lines, unless i use FT -Autosize...

October 22, 2016 at 2:23 pm

Until up to 4 properties the console always shows as table. If it's more it will be a list unless you specify something different. But that's only the standard behaviour in the console. If you use Export-CSV it will always be in columns no matter how many properties you specify.

October 24, 2016 at 6:37 am

It works !

Thanks to all of you I learned so much.