Read selected events from the event log

Welcome Forums General PowerShell Q&A Read selected events from the event log

This topic contains 5 replies, has 4 voices, and was last updated by

5 years, 9 months ago.

  • Author
  • #7663

    Points: 2
    Rank: Member

    I am new to powershell and need some help.  I am creating a script to be run as a scheduled task at startup to look for event log entries of unexpected shutdown.  I am only interested in the events that occured within the last hour of startup.  If an event is found, an email is sent to the helpdesk.  The script I created works if an entry exists but errors if it does not. It fails because nothing is found to assign to the variable. How can I handle that situation?

    $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1
    Send-MailMessage -To -From "" -SmtpServer -Subject "Unexpected shutdown: $env:COMPUTERNAME" -Body $UnexpectedReboot.Message

    The error is:

    Get-EventLog : No matches found
    At line:1 char:19
    + $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

  • #7667

    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    It depends on what you'd like to do. You could add -ErrorAction SilentlyContinue to the command, which will suppress the error. You could then check and see if $UnexpectedReboot was empty or not. That'll probably be difficult to do in a one-liner; this would be easier for you if you broke these commands out into a short script.

  • #7677

    Points: 1
    Rank: Member

    An alternative would be to add -ErrorAction Stop to your Get-EventLog call and enclose the scriptlet in a Try/Catch block. Since you want to ignore the case where no unexpected reboot occurred, the catch block can be empty.

  • #7678

    Points: 2
    Rank: Member

    Thank you, Don and Art.  I tried Stop first since it was the shorter solution and I believe in KISS.  But it still returned an error.  I don't like errors even if they don't affect he result.  SilentlyContinue did not return a error.  I solved the problem of $UnexpectedReboot being empty with an If statement.  Here is my solution:

    $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1 -ErrorAction SilentlyContinue
    If ($UnexpectedReboot -ne $null) {Send-MailMessage -To -From "" -SmtpServer -Subject "Unexpected shutdown: $env:COMPUTERNAME" -Body $UnexpectedReboot.Message}

    Don, since I am new to PowerShell I am going to try to break this out into a short script for practice and exerience.

    This was a good problem for me.  I learned something!

  • #7700

    Points: 0
    Rank: Member

    Two things pop for me right away:

    If ($UnexpectedReboot -ne $Null)

    can be replaced with

    if ($Unexpectedreboot)

    The second option will always return true if the variable has a value other than false.  If it's empty then it won't go through.


    The other thing is are you sure that you're getting the right event log information?  it might be better to look for a particular event ID.  Right now you're just pulling any error in the system log that happened within the hour before the script was run.

  • #7708

    Points: 2
    Rank: Member

    Don, I wrote it as a script.  It makes it a lot more readable.  Thank you for the suggestion.

The topic ‘Read selected events from the event log’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort