psobject format output

Welcome Forums General PowerShell Q&A psobject format output

This topic contains 2 replies, has 2 voices, and was last updated by

mich.a
 
Participant
1 year ago.

  • Author
    Posts
  • November 14, 2017 at 11:58 am #84230
    mich.a

    Participant
    Points: 1
    Rank: Member

    Hello all,
    I'm writing a function to retrieve from a series of events (eventID 153) binary data in XML view.
    My issue is with the output, which seems to be stored in hashtable.

    Function Get-StorPortXMLEvents {
    #Local path to evtx file.
    $GenEvtPath = 'C:\tmp\diskErrors.evtx'

    #Setting to xml
    $EventData = ([xml[]](Get-WinEvent -FilterHashtable @{Path = $GenEvtPath} -MaxEvents 5).toxml())

    #Enumerating objects with foreach
    foreach ($diskEvt in $EventData) {
    
	#Which info I want to pull
        $EvtProperties = @{
            Data        = $EventData.event.eventdata.data
            Binary      = $EventData.event.eventdata.binary
            TimeCreated = $EventData.event.system.timecreated.systemtime
        }
        #Creating my object
	$MyObj = New-Object -TypeName psobject -Property $EvtProperties
        Write-Output $MyObj
        
    }
}

    The output:

    [13:19 PM C:\]>  Get-StorPortXMLEvents | fl


TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

TimeCreated : {2017-11-02T13:30:54.386394300Z, 2017-11-02T13:30:51.872859400Z, 2017-11-02T13:30:51.575979800Z,
              2017-10-27T05:49:39.077479800Z...}
Data        : {\Device\Harddisk3\DR3, 0x890f1a8, 3, \Device\MPIODisk0...}
Binary      : {0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928,
              0F01040004002C0000000000990004800000000000000000000000000000000000000000000000000000092A,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000988,
              0F01040004002C00000000009900048000000000000000000000000000000000000000000000000000000928...}

    My goal is to match each event (data) with each time (timecreated) and its binary code.
    I would appreciate your input folks.

  • November 14, 2017 at 4:04 pm #84244
    Richard Siddaway

    Participant
    Points: 0
    Rank: Member

    I think you have an error in your code

    $EvtProperties = @{
    Data = $EventData.event.eventdata.data
    Binary = $EventData.event.eventdata.binary
    TimeCreated = $EventData.event.system.timecreated.systemtime
    }

    should be

    $EvtProperties = @{
    Data = $$diskEvt.event.eventdata.data
    Binary = $$diskEvt.event.eventdata.binary
    TimeCreated = $$diskEvt.event.system.timecreated.systemtime
    }

    or something similar. You're currently creating the output using the collection of events rather than each individual event which is what I presume you're after

    • November 14, 2017 at 8:00 pm #84248
      mich.a

      Participant
      Points: 1
      Rank: Member

      Thanks a lot Richard! Yes I was looking for each individual event.

  • Author
    Posts

The topic ‘psobject format output’ is closed to new replies.