UPDATE: I made a GUI around it and published it on Technet, download it here!
Did you ever found yourself in a situation where you couldn’t pinpoint the exact cause of a particular problem or you just need to know what exactly happened on your machine but can’t find the culprit? Unfortunately these things are quite common in the daily life of a SysAdmin, first thing on your list should be checking the eventlog for any indications corresponding to your issue. You will be likely scrolling through the application and system log and if it exists the event log of the application related to your issue.
But what if you couldn’t find anything but you do know the exact timeframe when the issue occurred? Browsing and scrolling to each container and the corresponding logs is a time consuming process and even then you don’t have a quick and sorted overview of all events. You already guessed it! PowerShell to the rescue with a simple lifesaving one-liner which can be customized to your needs.
|
1 |
Get-WinEvent -ListLog * | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime="21-09-2014 11:10";EndTime="21-09-2014 11:20"} -ea 0} | sort timecreated -des |
First ‘Get-WinEvent’ is used to retrieve all the logs available on the system and piped through the ‘%’ symbol which is used as the ‘foreach’ alias. Then ‘get-winevent’ is used again to fetch all the events from these logs by means of the ‘FilterHashTable’ parameter which filters out events for the log in question (‘$_.Logname’) based upon the date/time information you specify in the ‘StartTime’ and ‘Endtime’ keys. I also added the ‘ea’ as an extra parameter, ‘ea’ is short (alias) for “ErrorAction’ and the 0 value is short for ‘SilentlyContinue’. The reason for that is the numerous error messages you get when ‘get-winevent’ couldn’t find events in the specified time frame. For viewing purposes all events are sorted (‘sort’) in descending order (‘-des’) based on ‘timecreated’. And of course you could set the one-liner to a variable, by that creating your own view by selecting the properties you want see or use the where and match operators to filter down the events even further.
The date/time notation depends on the machines regional settings, you could also use the cmdlet ‘get-date‘ and modify the start time by adding minutes,hours or days combined with a negative value to go back in time.
|
1 2 |
$Start= (Get-Date).AddHours(-1); $End= Get-Date Get-WinEvent -ListLog * | % {Get-WinEvent -FilterHashTable @{LogName=$_.LogName;StartTime=$Start;EndTime=$End}} | sort timecreated -des |
The ‘FilterHashTable’ is simply the fastest way, it only retrieves the data you exactly need, if for some reason the filtering doesn’t work for you it can be left out. But then you will have to use native PowerShell ‘where’ filtering, the drawback of this is that it would take a tremendous amount of time since all events on the system will be retrieved. One way to limit the number of events is using the ‘-maxevents (number)’ parameter but that defies the purpose if you ask me, one other way is using the older and slower ‘Get-Eventlog’.
The one-liner could be much shorter but the shorter one isn’t compatible with all PowerShell versions and OSés. This is because the ‘FilterHashTable’ doesn’t always accept the wildcard in the ‘Logname’ key, performance is nearly the same. For your convenience, ‘get-date’ is merged into the one-liner. The ‘EndTime’ key and value are removed, this way it will search everything up to the current date and time.
|
1 |
Get-WinEvent -FilterHashTable @{LogName="*";StartTime=(get-date).addminutes(-60)} -ea 0 | sort timecreated -des |
