Selecting unique objects along with other property

Welcome Forums General PowerShell Q&A Selecting unique objects along with other property

This topic contains 10 replies, has 4 voices, and was last updated by

 
Participant
2 years, 4 months ago.

  • Author
    Posts
  • #49105

    Participant
    Points: 1
    Rank: Member

    Dear Community

    I need your help with my below query .

    I am trying to retrive event log message for particular event id and i need to extract message which are unique which i am able to get with below code , i also wanted to get timecreated property along with unique message which i am unable to get, i have tried few options but nothing works 🙁 . TIA

    $eventlogs = Get-WinEvent –FilterHashtable @{logname='Application';id=1194;starttime=$time} 
         $Message = $eventlogs | select-object message -unique
    
  • #49108

    Participant
    Points: 0
    Rank: Member

    Selecting with the TimeCreated property specified should give you what you need

    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique
    • #49110

      Participant
      Points: 1
      Rank: Member

      Hi Jonathan

      Thanks for the reply . But its not working :(. It looks like the timecreated property is applied for unique.

      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique).count
      4014
      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -unique).count
      38

  • #49126

    Participant
    Points: 0
    Rank: Member

    That is correct

    -Unique
    Specifies that if a subset of the input objects has identical properties and values, only a single member of the subset will be selected.

    While the number will vary based on the system selecting without the -unique switch gives you the largest number.

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message).count
    93
    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message).count
    93
    

    using -unique with just the message property will the unique messages and the smallest number of events

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique).count
    5
    

    adding any other property will expand the returns because all of the properties will be evaluated for the -unique switch.

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -Unique).count
    86
    

    If you are trying to limit the return to just the last event details(or what ever your requirements are) you will need to get the unique messages and then query based on your requirements. This example will get the last event for each message.

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated,Message -Last 1
    }
    
  • #49128

    Participant
    Points: 1
    Rank: Member

    Hi jonathan
    I think this will work :), i am not near system to check will check later.. Thank u for taking your valuable time to explain in detail .. Much clear now 🙂 .. Our community rocks 😊

    • #49132

      Participant
      Points: 1
      Rank: Member

      Hi Jonathan

      Its not working 🙁 . are you getting same count for both ?

      $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
      $result = foreach($msg in $msgs){
          Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated
      }
      $result.count 
      
  • #49134

    Participant
    Points: 16
    Rank: Member

    Hi Suresh,

    I think the below should give you what you want.

    # Set filter hash specifying event log name and event id
    $FilterHash = @{
        logname = 'Application'
        id      = 1003
    }
    
    # Get all events matching filter
    $AllEvents = Get-WinEvent –FilterHashtable $FilterHash
    $AllEvents.Count
    
    
    # Get all unique messages (just for comparison)
    $UniqueMessages = $AllEvents | Select-Object -Property Message -Unique
    $UniqueMessages.Count
    
    
    # Build result set while tracking if message has been seen before
    $Result = @()
    foreach ($Event in $AllEvents)
    {
        if (-not ($Result.Message -contains $Event.Message))
        {
            $Result = $Result + $Event
        }
    }
    $Result.Count
    
    # Get TimeCreated and message from result set
    $Result | Select-Object -Property TimeCreated, Message
    
  • #49175

    Participant
    Points: 0
    Rank: Member

    Suresh
    Your code is missing the filter to only select the last event that is why the counts are different.
    This

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    $result = foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
        Where-Object{$_.Message -eq $msg.Message}|
        Select-Object TimeCreated
    }
    $result.count 
    

    should be

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    $msgs.count
    $result = foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
        Where-Object{$_.Message -eq $msg.Message}|
        Select-Object TimeCreated,Message -Last 1
    }
    $result.count 
    
    • #49421

      Participant
      Points: 1
      Rank: Member

      Thanks Christian 🙂 and thanks paul Brathen for your help 🙂 .. Cheers

  • #49206

    Participant
    Points: 1
    Rank: Member

    Excellent .. It worked. 🙂 .once again thank you so much :):) you have been really helpful . Cheers.

  • #49410

    Participant
    Points: 0
    Rank: Member

    One small thing:

    Always wrap your commands in @() when you expect multiple values, but might get 0 or 1.

    Because this gives an error:

    Set-StrictMode -Version "latest"
    $Events = Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1
    $Events.Count
    
    # The property 'Count' cannot be found on this object. Verify that the property exists.

    But this will work:

    Set-StrictMode -Version "latest"
    $Events = @(Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1)
    $Events.Count
    
    # 1

    That might save you some serious headache if you some day in the future suddenly get a single event.

The topic ‘Selecting unique objects along with other property’ is closed to new replies.