Topic: psobject format output

This topic contains 2 replies, has 2 voices, and was last updated by

mich.a

Participant

1 year, 3 months ago.

Author

Posts

November 14, 2017 at 11:58 am #84230

mich.a

Participant

Points: 1

Rank: Member

Hello all,
I'm writing a function to retrieve from a series of events (eventID 153) binary data in XML view.
My issue is with the output, which seems to be stored in hashtable.

Function Get-StorPortXMLEvents {
    #Local path to evtx file.
    $GenEvtPath = 'C:\tmp\diskErrors.evtx'

    #Setting to xml
    $EventData = ([xml[]](Get-WinEvent -FilterHashtable @{Path = $GenEvtPath} -MaxEvents 5).toxml())

    #Enumerating objects with foreach
    foreach ($diskEvt in $EventData) {
    
	#Which info I want to pull
        $EvtProperties = @{
            Data        = $EventData.event.eventdata.data
            Binary      = $EventData.event.eventdata.binary
            TimeCreated = $EventData.event.system.timecreated.systemtime
        }
        #Creating my object
	$MyObj = New-Object -TypeName psobject -Property $EvtProperties
        Write-Output $MyObj
        
    }
}

The output:

[13:19 PM C:\]>  Get-StorPortXMLEvents | fl


TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

My goal is to match each event (data) with each time (timecreated) and its binary code.
I would appreciate your input folks.

November 14, 2017 at 4:04 pm #84244

Richard Siddaway

Participant

Points: 0
Rank: Member

I think you have an error in your code

$EvtProperties = @{
Data = $EventData.event.eventdata.data
Binary = $EventData.event.eventdata.binary
TimeCreated = $EventData.event.system.timecreated.systemtime
}

should be

$EvtProperties = @{
Data = $$diskEvt.event.eventdata.data
Binary = $$diskEvt.event.eventdata.binary
TimeCreated = $$diskEvt.event.system.timecreated.systemtime
}

or something similar. You're currently creating the output using the collection of events rather than each individual event which is what I presume you're after
- November 14, 2017 at 8:00 pm #84248
  
  mich.a
  
  Participant
  
  Points: 1
  Rank: Member
  
  Thanks a lot Richard! Yes I was looking for each individual event.
Author

Posts

The topic ‘psobject format output’ is closed to new replies.

psobject format output

Sign in to your account