PS using Get-WinEvent with FilterXPath and datetime variables?

Posted by Jordan W. on Stack Overflow See other posts from Stack Overflow or by Jordan W.
Published on 2012-01-23T22:31:40Z Indexed on 2012/06/08 4:40 UTC
Read the original article Hit count: 429

Filed under:

datetime

|

powershell

|

filtering

|

event-log

I'm grabbing a handful of events from an event log in chronological order
don't want to pipe to Where
want to use get-winevent

After I get the Event1, I need to get the 1st instance of another event that occurs some unknown amount of time after Event1. then grab Event3 that occurs sometime after Event2 etc.

Basically starting with:

$filterXML = @'
<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (Level=4 or Level=0) and (EventID=12)]]</Select>
  </Query>
</QueryList>
'@    
$event1=(Get-WinEvent -ComputerName $PCname -MaxEvents 1 -FilterXml $filterXML).timecreated

Give me the datetime of Event1. Then I want to do something like:

Get-WinEvent -LogName "System" -MaxEvents 1 -FilterXPath "*[EventData[Data = 'Windows Management Instrumentation' and TimeCreated -gt $event1]]"

Obviously the timecreated part bolded there doesn't work but I hope you get what I'm trying to do. any help?

© Stack Overflow or respective owner

Related posts about datetime

Finding begin and end of year/month/day/hour

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm using the following snipped to find the begin and end of several time periods in Joda. The little devil on my left shoulder says thats the way to go... but I dont believe him. Could anybody with some joda experience take a brief look and tell me that the little guy is right? (It will be only… >>> More
Get non-overlapping dates ranges for prices history data

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, Let's assume that I have the following table: CREATE TABLE [dbo].[PricesHist]( [Product] varchar NOT NULL, [Price] [float] NOT NULL, [StartDate] [datetime] NOT NULL, [EndDate] [datetime] NOT NULL ) INSERT [dbo].[PricesHist] ([Product], [Price], [StartDate], [EndDate]) VALUES (N'Apples'… >>> More
DateTime.MinValue vs new DateTime() in C#

as seen on Stack Overflow - Search for 'Stack Overflow'
When getting SQL DateTime Resharper suggests to use new DateTime() when value is DBNull.Value. I've always used DateTime.MinValue. Which is the proper way? DateTime varData = sqlQueryResult["Data"] is DateTime ? (DateTime) sqlQueryResult["Data"] : new DateTime(); >>> More
SOLVED: Error 1 Ticks must be between DateTime.MinValue.Ticks and DateTime.MaxValue.Ticks

as seen on Dot net Slackers - Search for 'Dot net Slackers'
This is a simple looking error message that is deceptively hard to track down. Thankfully if you're having this problem then this article should get you back on track without spending hours scratching your head. Scenario It was time to update an existing website so after synchronising my copy of… >>> More
Converting Openfire IM datetime values in SQL Server to / from VARCHAR(15) and DATETIME data types

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
A client is using Openfire IM for their users, and would like some custom queries to audit user conversations (which are stored by Openfire in tables in the SQL Server database). Because Openfire supports multiple database servers and multiple platforms, the designers chose to store all date/time… >>> More

Related posts about powershell

In Powershell on Windows7, how do I automatically set aliases (or run scripts) when powershell loads

as seen on Super User - Search for 'Super User'
I have created a powershell cmdlet and assigned it to an Alias. How do I do this automatically every time powershell launches? (i.e. so I don't have to re-assign the alias every time) >>> More
How to Load commands into your powershell profile to run on starting powershell

as seen on Server Fault - Search for 'Server Fault'
Hi, I have found a way to load exchange 2010 powershell into powershell running on a windows xp workstation, however there are a few commands that need to run. I was wondering how I could load them into a profile somehow. These are the commands that I need to run before I can do any of the exchange… >>> More
C#, Powershell - Microsoft.Exchange.Management.PowerShell.Admin

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm having troubles using the Microsoft.Exchange.Management.PowerShell.Admin on a server. The server is not the one running Exchange 2007, it's a remote server (in the same zone). I can't figure out how to add the Snapin for Powershell - Microsoft.Exchange.Management.PowerShell.Admin. Is it possible… >>> More
PowerShell Script to Create PowerShell Profile

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Utilizing a PowerShell profile can help any PowerShell user save time getting up and running with their work. For those unfamiliar a PowerShell profile is a file you can store any PowerShell commands that you want to run when you fire up a PowerShell console (or ISE.) In my typical profiles (example… >>> More
Download Free PowerShell Quick Reference Guides from Microsoft

as seen on How to geek - Search for 'How to geek'
Are you just getting started with learning PowerShell or tired of looking up less frequently used commands? Then this terrific set of PowerShell quick reference guides from Microsoft is just what you need! The first guide focuses on commonly-used Windows PowerShell commands and is available in a single… >>> More