gbzygil
Reputation: 141
Powershell Get-Winevent Filterhashtable
This is a working query i have now.
powershell "Get-WinEvent -EA SilentlyContinue -FilterHashtable @{ProviderName='Microsoft-Windows-DriverFrameworks-UserMode';ID=2003,2100;StartTime='2014-08-18 16:01:57';EndTime='2014-08-18 23:59:59'} | where {$_.Message -match '27, 23'}| ConvertTo-Csv -NoTypeInformation | %{ $_ -replace """`r`n""",',' } | select -Skip 1| Out-File -Append c:\TEMP\TIMELINE\TEMP.csv"
How can i change it in such a way that it fetches:
(Event ID 2003)
OR
(Event ID 2100 and Message -match '27, 23')
Thank You..
Upvotes: 0
Views: 1234
Answers (2)
Mosser Lee
Reputation: 48
Filterhashtable does not support bool expression. Your can take 2 work around ways.
- Use PowerShell where pipeline.
- Use -FilterXml parameter instead of Filterhashtable
Upvotes: 0
TheMadTechnician
Reputation: 36287
Simply change the Where statement to use an -OR statement, and then group the ID and message with an -AND statement:
where {$_.ID -eq "2003" -or ($_.ID -eq "2100" -and $_.Message -match '27, 23')}
Upvotes: 1
Related Questions
- PowerShell WinEvent FilterHashtable wildcard
- Get-WinEvent -FilterHashTable with multiple IDs in a variable not working
- Powershell filter output data from Get-WinEvent
- An empty pipe element is not allowed, Get-WinEvent -FilterHashtable
- PowerShell, weird behaviour of Get-WinEvent -FilterHashTable ID and arrays
- Powershell - Get-WinEvent
- PowerShell Get-Winevent by Keywords and Provider Name issues
- get-winevent: working with properties
- Get-WinEvent returning a string?
- powershell Get-Winevent -FilterXML