Author Posts

August 3, 2016 at 1:26 am

Dear Community

I need your help with my below query .

I am trying to retrive event log message for particular event id and i need to extract message which are unique which i am able to get with below code , i also wanted to get timecreated property along with unique message which i am unable to get, i have tried few options but nothing works 🙁 . TIA

$eventlogs = Get-WinEvent –FilterHashtable @{logname='Application';id=1194;starttime=$time} 
     $Message = $eventlogs | select-object message -unique

August 3, 2016 at 2:18 am

Selecting with the TimeCreated property specified should give you what you need

Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique

August 3, 2016 at 3:01 am

Hi Jonathan

Thanks for the reply . But its not working :(. It looks like the timecreated property is applied for unique.

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique).count
(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -unique).count

August 3, 2016 at 4:42 am

That is correct

Specifies that if a subset of the input objects has identical properties and values, only a single member of the subset will be selected.

While the number will vary based on the system selecting without the -unique switch gives you the largest number.

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message).count
(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message).count

using -unique with just the message property will the unique messages and the smallest number of events

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique).count

adding any other property will expand the returns because all of the properties will be evaluated for the -unique switch.

(Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -Unique).count

If you are trying to limit the return to just the last event details(or what ever your requirements are) you will need to get the unique messages and then query based on your requirements. This example will get the last event for each message.

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated,Message -Last 1

August 3, 2016 at 4:49 am

Hi jonathan
I think this will work :), i am not near system to check will check later.. Thank u for taking your valuable time to explain in detail .. Much clear now 🙂 .. Our community rocks 😊

August 3, 2016 at 9:36 am

Hi Jonathan

Its not working 🙁 . are you getting same count for both ?

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated

August 3, 2016 at 10:33 am

Hi Suresh,

I think the below should give you what you want.

# Set filter hash specifying event log name and event id
$FilterHash = @{
    logname = 'Application'
    id      = 1003

# Get all events matching filter
$AllEvents = Get-WinEvent –FilterHashtable $FilterHash

# Get all unique messages (just for comparison)
$UniqueMessages = $AllEvents | Select-Object -Property Message -Unique

# Build result set while tracking if message has been seen before
$Result = @()
foreach ($Event in $AllEvents)
    if (-not ($Result.Message -contains $Event.Message))
        $Result = $Result + $Event

# Get TimeCreated and message from result set
$Result | Select-Object -Property TimeCreated, Message

August 3, 2016 at 2:28 pm

Your code is missing the filter to only select the last event that is why the counts are different.

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
    Where-Object{$_.Message -eq $msg.Message}|
    Select-Object TimeCreated

should be

$msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
$result = foreach($msg in $msgs){
    Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
    Where-Object{$_.Message -eq $msg.Message}|
    Select-Object TimeCreated,Message -Last 1

August 4, 2016 at 1:05 am

Excellent .. It worked. 🙂 .once again thank you so much :):) you have been really helpful . Cheers.

August 5, 2016 at 1:12 pm

One small thing:

Always wrap your commands in @() when you expect multiple values, but might get 0 or 1.

Because this gives an error:

Set-StrictMode -Version "latest"
$Events = Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1

# The property 'Count' cannot be found on this object. Verify that the property exists.

But this will work:

Set-StrictMode -Version "latest"
$Events = @(Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1)

# 1

That might save you some serious headache if you some day in the future suddenly get a single event.

August 5, 2016 at 1:52 pm

Thanks Christian 🙂 and thanks paul Brathen for your help 🙂 .. Cheers