Selecting unique objects along with other property

Welcome Forums General PowerShell Q&A Selecting unique objects along with other property

Viewing 7 reply threads
  • Author
    Posts
    • #49105
      Participant
      Topics: 15
      Replies: 24
      Points: 4
      Rank: Member

      Dear Community

      I need your help with my below query .

      I am trying to retrive event log message for particular event id and i need to extract message which are unique which i am able to get with below code , i also wanted to get timecreated property along with unique message which i am unable to get, i have tried few options but nothing works 🙁 . TIA

      $eventlogs = Get-WinEvent –FilterHashtable @{logname='Application';id=1194;starttime=$time} 
           $Message = $eventlogs | select-object message -unique
      
    • #49108
      Participant
      Topics: 1
      Replies: 169
      Points: 0
      Rank: Member

      Selecting with the TimeCreated property specified should give you what you need

      Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique
      • #49110
        Participant
        Topics: 15
        Replies: 24
        Points: 4
        Rank: Member

        Hi Jonathan

        Thanks for the reply . But its not working :(. It looks like the timecreated property is applied for unique.

        (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -unique).count
        4014
        (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -unique).count
        38

    • #49126
      Participant
      Topics: 1
      Replies: 169
      Points: 0
      Rank: Member

      That is correct

      -Unique
      Specifies that if a subset of the input objects has identical properties and values, only a single member of the subset will be selected.

      While the number will vary based on the system selecting without the -unique switch gives you the largest number.

      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message).count
      93
      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message).count
      93
      

      using -unique with just the message property will the unique messages and the smallest number of events

      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique).count
      5
      

      adding any other property will expand the returns because all of the properties will be evaluated for the -unique switch.

      (Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object TimeCreated,message -Unique).count
      86
      

      If you are trying to limit the return to just the last event details(or what ever your requirements are) you will need to get the unique messages and then query based on your requirements. This example will get the last event for each message.

      $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
      foreach($msg in $msgs){
          Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated,Message -Last 1
      }
      
    • #49128
      Participant
      Topics: 15
      Replies: 24
      Points: 4
      Rank: Member

      Hi jonathan
      I think this will work :), i am not near system to check will check later.. Thank u for taking your valuable time to explain in detail .. Much clear now 🙂 .. Our community rocks 😊

      • #49132
        Participant
        Topics: 15
        Replies: 24
        Points: 4
        Rank: Member

        Hi Jonathan

        Its not working 🙁 . are you getting same count for both ?

        $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
        $result = foreach($msg in $msgs){
            Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|Where-Object{$_.Message -eq $msg.Message}|Select-Object TimeCreated
        }
        $result.count 
        
    • #49134
      Participant
      Topics: 4
      Replies: 104
      Points: 82
      Rank: Member

      Hi Suresh,

      I think the below should give you what you want.

      # Set filter hash specifying event log name and event id
      $FilterHash = @{
          logname = 'Application'
          id      = 1003
      }
      
      # Get all events matching filter
      $AllEvents = Get-WinEvent –FilterHashtable $FilterHash
      $AllEvents.Count
      
      
      # Get all unique messages (just for comparison)
      $UniqueMessages = $AllEvents | Select-Object -Property Message -Unique
      $UniqueMessages.Count
      
      
      # Build result set while tracking if message has been seen before
      $Result = @()
      foreach ($Event in $AllEvents)
      {
          if (-not ($Result.Message -contains $Event.Message))
          {
              $Result = $Result + $Event
          }
      }
      $Result.Count
      
      # Get TimeCreated and message from result set
      $Result | Select-Object -Property TimeCreated, Message
      
    • #49175
      Participant
      Topics: 1
      Replies: 169
      Points: 0
      Rank: Member

      Suresh
      Your code is missing the filter to only select the last event that is why the counts are different.
      This

      $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
      $result = foreach($msg in $msgs){
          Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
          Where-Object{$_.Message -eq $msg.Message}|
          Select-Object TimeCreated
      }
      $result.count 
      

      should be

      $msgs = Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|select-object message -Unique
      $msgs.count
      $result = foreach($msg in $msgs){
          Get-WinEvent –FilterHashtable @{logname='Application';id=1003}|
          Where-Object{$_.Message -eq $msg.Message}|
          Select-Object TimeCreated,Message -Last 1
      }
      $result.count 
      
      • #49421
        Participant
        Topics: 15
        Replies: 24
        Points: 4
        Rank: Member

        Thanks Christian 🙂 and thanks paul Brathen for your help 🙂 .. Cheers

    • #49206
      Participant
      Topics: 15
      Replies: 24
      Points: 4
      Rank: Member

      Excellent .. It worked. 🙂 .once again thank you so much :):) you have been really helpful . Cheers.

    • #49410
      Participant
      Topics: 14
      Replies: 34
      Points: 0
      Rank: Member

      One small thing:

      Always wrap your commands in @() when you expect multiple values, but might get 0 or 1.

      Because this gives an error:

      Set-StrictMode -Version "latest"
      $Events = Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1
      $Events.Count
      
      # The property 'Count' cannot be found on this object. Verify that the property exists.

      But this will work:

      Set-StrictMode -Version "latest"
      $Events = @(Get-WinEvent -FilterHashtable @{"LogName"="Application"} -MaxEvents 1)
      $Events.Count
      
      # 1

      That might save you some serious headache if you some day in the future suddenly get a single event.

Viewing 7 reply threads
  • The topic ‘Selecting unique objects along with other property’ is closed to new replies.