INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

How to pull eventlogs during the last week only

How to pull eventlogs during the last week only

(OP)
Hello,

I use the following code to get events from the security log, by computername and event id. I need to take it one step further. I want to pull these events that occurred  during the last week. How can I modify the command below to do this? I know it has something to do with TimeGenerated but not sure how to structure it so that only the last week's events are pulled. TIA

CODE

Get-WmiObject -Class win32_NTLogEvent -filter "logfile = '$log' and EventCode = '$eventID'" -computerName $computerName

RE: How to pull eventlogs during the last week only

(OP)
Actually the full code is this:

CODE


Function Get-EventsByWmi($computerName,$log,$eventID) #the params defined above are used as inputs here in the function definition
{
 Get-WmiObject -Class win32_NTLogEvent -filter "logfile = '$log' and EventCode = '$eventID'" -computerName $computerName
} #end
 

RE: How to pull eventlogs during the last week only

If you have or can upgrade to PowerShell v2, the Get-EventLog cmdlet has been updated to include -After <DateTime> and -Before <DateTime> parameters. In place of your Get-WmiObject statement you should be able to do something like this

CODE

Get-EventLog -LogName $log -ComputerName $computerName -After (Get-Date).AddDays(-7) | Where {$_.eventID -eq $eventID}

Sadly enough the cmdlet doesn't have an EventID parameter, which is why the pipe to Where is needed.

You could probably add

CODE

and TimeGenerated > $timeperiod
to your WMI -filter, but you'd have to search for how to convert the time to the format expected by TimeGenerated.
 

RE: How to pull eventlogs during the last week only

(OP)
Thanks crobin1! But I heard that get-eventlog does not run remotely, that is why I am using WMI to get the event log remotely. But maybe in v2 of Powershell, they might have added the ability to run it remotely also?

RE: How to pull eventlogs during the last week only

In PowerShell v1 Get-EventLog could not run against remote computers, but in v2 they added the -ComputerName parameter (as in the code above). This lets you retrieve logs from remote computers, even if the remote computer does not have PowerShell installed.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close