Selecting unique objects along with other property

This topic contains 10 replies, has 4 voices, and was last updated by Profile photo of Suresh krishnan Suresh krishnan 1 month, 3 weeks ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #49105
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Dear Community

    I need your help with my below query .

    I am trying to retrive event log message for particular event id and i need to extract message which are unique which i am able to get with below code , i also wanted to get timecreated property along with unique message which i am unable to get, i have tried few options but nothing works 🙁 . TIA

    $eventlogs = Get-WinEvent –FilterHashtable @{logname='Application';id=1194;starttime=$time} 
         $Message = $eventlogs | select-object message -unique
    
    #49108
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    Selecting with the TimeCreated property specified should give you what you need

    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique
    #49110
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Hi Jonathan

    Thanks for the reply . But its not working :(. It looks like the timecreated property is applied for unique.

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique).count
    4014
    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -unique).count
    38

    #49126
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    That is correct

    -Unique
    Specifies that if a subset of the input objects has identical properties and values, only a single member of the subset will be selected.

    While the number will vary based on the system selecting without the -unique switch gives you the largest number.

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message).count
    93
    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message).count
    93
    

    using -unique with just the message property will the unique messages and the smallest number of events

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique).count
    5
    

    adding any other property will expand the returns because all of the properties will be evaluated for the -unique switch.

    (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -Unique).count
    86
    

    If you are trying to limit the return to just the last event details(or what ever your requirements are) you will need to get the unique messages and then query based on your requirements. This example will get the last event for each message.

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated,Message -Last 1
    }
    
    #49128
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Hi jonathan
    I think this will work :), i am not near system to check will check later.. Thank u for taking your valuable time to explain in detail .. Much clear now 🙂 .. Our community rocks 😊

    #49132
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Hi Jonathan

    Its not working 🙁 . are you getting same count for both ?

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    $result = foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated
    }
    $result.count 
    
    #49134
    Profile photo of Christian Sandfeld
    Christian Sandfeld
    Participant

    Hi Suresh,

    I think the below should give you what you want.

    # Set filter hash specifying event log name and event id
    $FilterHash = @{
        logname = 'Application'
        id      = 1003
    }
    
    # Get all events matching filter
    $AllEvents = Get-WinEvent –FilterHashtable $FilterHash
    $AllEvents.Count
    
    
    # Get all unique messages (just for comparison)
    $UniqueMessages = $AllEvents | Select-Object -Property Message -Unique
    $UniqueMessages.Count
    
    
    # Build result set while tracking if message has been seen before
    $Result = @()
    foreach ($Event in $AllEvents)
    {
        if (-not ($Result.Message -contains $Event.Message))
        {
            $Result = $Result + $Event
        }
    }
    $Result.Count
    
    # Get TimeCreated and message from result set
    $Result | Select-Object -Property TimeCreated, Message
    
    #49175
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    Suresh
    Your code is missing the filter to only select the last event that is why the counts are different.
    This

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    $result = foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
        Where-Object{$_.Message -eq $msg.Message}|
        Select-Object TimeCreated
    }
    $result.count 
    

    should be

    $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
    $msgs.count
    $result = foreach($msg in $msgs){
        Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
        Where-Object{$_.Message -eq $msg.Message}|
        Select-Object TimeCreated,Message -Last 1
    }
    $result.count 
    
    #49206
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Excellent .. It worked. 🙂 .once again thank you so much :):) you have been really helpful . Cheers.

    #49410
    Profile photo of Paal Braathen
    Paal Braathen
    Participant

    One small thing:

    Always wrap your commands in @() when you expect multiple values, but might get 0 or 1.

    Because this gives an error:

    Set-StrictMode -Version "latest"
    $Events = Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1
    $Events.Count
    
    # The property 'Count' cannot be found on this object. Verify that the property exists.

    But this will work:

    Set-StrictMode -Version "latest"
    $Events = @(Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1)
    $Events.Count
    
    # 1

    That might save you some serious headache if you some day in the future suddenly get a single event.

    • This reply was modified 1 month, 3 weeks ago by Profile photo of Paal Braathen Paal Braathen.
    #49421
    Profile photo of Suresh krishnan
    Suresh krishnan
    Participant

    Thanks Christian 🙂 and thanks paul Brathen for your help 🙂 .. Cheers

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.