Dpitt1968
Reputation: 109
Powershell parsing select-object even further
So for this script given to me by @Frode F. how would I parse it down even further?
Here is what @Frode F. gave me --
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}
Now how do I parse it down to remove certain events? Here is my code -
$search = @("C:\*")
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }
} | Where-Object -FilterScript { $_.Properties[8].Value -notlike $search}
This keeps giving me a cannot index into a null array.
Upvotes: 0
Views: 1150
Answers (1)
David Turner
Reputation: 316
The Where-Object cmdlet is operating on the results piped out from the preceeding Select-Object cmdlet.
Try replacing:
$_.Properties[8].Value -notlike $search
with:
$_.CommandLine -notlike $search
Edit: @Negorath and @Kiran are correct. You'll likely end up with a better performing solution if you re-arrange the pipeline to filter before you select.
Upvotes: 2
Related Questions
- PowerShell says "execution of scripts is disabled on this system."
- Terminating a script in PowerShell
- Setting Windows PowerShell environment variables
- How to run a PowerShell script
- Determine installed PowerShell version
- How to handle command-line arguments in PowerShell
- How do I concatenate strings and variables in PowerShell?
- Get-WinEvent and Select-string filter line result
- What's the best way to determine the location of the current PowerShell script?
- How do you comment out code in PowerShell?