CODEWITHSUNDEEP
xmlwindowsevent-log
Tsukasa
Tsukasa

Reputation: 6562

EventLog XML Query Filter Date Range

can't seem to find the right syntax to query the event log between a specific date range

<QueryList>
  <Query Id="0" Path="Security">
        <Select Path="Security"> 
        *[EventData[Data[@Name='SubjectUserName'] and (Data='test')]] 
        and
        *[System[TimeCreated[@SystemTime'] &gt;= '2015-01-24T00:00:000Z']]
        and
        *[System[TimeCreated[@SystemTime'] &lt;= '2015-01-26T00:00:000Z']]
    </Select>
  </Query>
</QueryList>

Upvotes: 2

Views: 9302

Answers (3)

Ashraf Ali
Ashraf Ali

Reputation: 1

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[System[TimeCreated[@SystemTime&gt;='2023-05-29T13:02:39.6038951Z
']]] and 
*[System[TimeCreated[@SystemTime&lt;='2023-05-29T13:15:03.7728533Z
']]]
</Select>
  </Query>
</QueryList>

Upvotes: 0

Mathias Fingerhut
Mathias Fingerhut

Reputation: 11

This Syntax is wrong: [System[TimeCreated[@SystemTime] &gt;= ...
It must be [System[TimeCreated[@SystemTime&gt;= ...

See my correction below

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">
    *[System[TimeCreated[@SystemTime&gt;='2017-12-28T00:00:00' and @SystemTime&lt;='2018-01-04T00:00:00']]]
    </Select>
  </Query>
</QueryList>

Upvotes: 1

waheed Asghar
waheed Asghar

Reputation: 95

I see a extra apostrophe in your query I just removed that try this just in front of SystemTime .. It should run now.

` 

   <QueryList>
  <Query Id="0" Path="Security">
        <Select Path="Security"> 
        *[EventData[Data[@Name='SubjectUserName'] and (Data='test')]] 
        and
        *[System[TimeCreated[@SystemTime] &gt;= '2015-01-24T00:00:000Z']]
        and
        *[System[TimeCreated[@SystemTime] &lt;= '2015-01-26T00:00:000Z']]
    </Select>
  </Query>
</QueryList>'

Upvotes: 0

Related Questions