PSCustomObject and Get-WinEvents

Welcome Forums General PowerShell Q&A PSCustomObject and Get-WinEvents

This topic contains 1 reply, has 2 voices, and was last updated by

 
Participant
6 months ago.

  • Author
    Posts
  • #100543

    Participant
    Points: 35
    Rank: Member

    I've a set of commands that I run against a set of servers using PSCustomObject to hold all the commands and then Invoke-Command to run them against the servers. One of the commands is Get-WinEvent and previously I used -FileterHashtable to apply filters but had chagned to -FilterXML so I can exclude particular EventId. But now I get no data returned when I run the script, only if I ran the command directly.

    This works

    $(Get-Winevent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]') | Select TimeCreated,Id,LevelDisplayName,Message
    

    This doesn't

    $GetData = {
    [PSCustomObject]@{
            EventLog = $(Get-WinEvent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]' | Select TimeCreated , Id, LevelDisplayName, Message)
        }
    }
    
    Invoke-Command -ComputerName $Servers -ScriptBlock $GetData -ErrorAction SilentlyContinue
    

    I used to use this, which did work

    $GetData = {
    [PSCustomObject]@{
            EventLog = $(Get-WinEvent -FilterHashtable @{logname='application'; level=1,2,3 ; StartTime=(Get-Date).AddDays(-1)} | Select TimeCreated , Id, LevelDisplayName, Message)
        }
    }
    
    Invoke-Command -ComputerName $Servers -ScriptBlock $GetData -ErrorAction SilentlyContinue
    

    Where am i going wrong ?

  • #100648

    Participant
    Points: 57
    Rank: Member

    The first line of code which you mentioned worked for you doesn't work for me. When I run

    $(Get-Winevent -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]') | Select TimeCreated,Id,LevelDisplayName,Message
    

    I get an error

    Get-WinEvent : Cannot bind parameter 'FilterXml'. Cannot convert value "*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 
    86400000]]]*[System[(EventID=9245 or EventID=1008)]]" to type "System.Xml.XmlDocument". Error: "The specified node cannot be inserted as the valid child of this node, 
    because the specified node is the wrong type."
    At line:1 char:27
    + ...  -Filterxml '*[System[(Level=1  or Level=2 or Level=3) and TimeCreate ...
    +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Get-WinEvent], ParameterBindingException
        + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetWinEventCommand
    

    Looking at the help topic for "Get-WinEvent" it suggests that the -FilterXML parameter is looking for an XMLDocument object, but it appears you are feeding it a string.

    -FilterXml
    Uses a structured XML query to select events from one or more event logs.

    Required? true
    Position? 1
    Default value None
    Accept pipeline input? true (ByValue, ByPropertyName)
    Accept wildcard characters? false

    When attempting to assign the filter to a type casted variable I get the same error

    [System.Xml.XmlDocument]$filter = '*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]'
    $(Get-Winevent -Filterxml $filter)
    
    Cannot convert value "*[System[(Level=1  or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) < = 86400000]]]*[System[(EventID=9245 or EventID=1008)]]" to type 
    "System.Xml.XmlDocument". Error: "The specified node cannot be inserted as the valid child of this node, because the specified node is the wrong type."
    At line:1 char:1
    + [System.Xml.XmlDocument]$filter = '*[System[(Level=1  or Level=2 or L ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : MetadataError: (:) [], ArgumentTransformationMetadataException
        + FullyQualifiedErrorId : RuntimeException
     
    Get-WinEvent : Cannot bind argument to parameter 'FilterXml' because it is null.
    At line:2 char:27
    + $(Get-Winevent -Filterxml $filter )
    +                           ~~~~~~~
        + CategoryInfo          : InvalidData: (:) [Get-WinEvent], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.GetWinEventCommand
    

    It appears there is an issue in the formatting that XML doesn't care for, I am not certain exactly what it is, but hopefully this will help you narrow down and pinpoint the issue.

    Just curious, why use Invoke-Command when Get-WinEvent uses the -ComputerName parameter?

The topic ‘PSCustomObject and Get-WinEvents’ is closed to new replies.