Reputation: 403
Get-WinEvent -filterXPath stopped working
I am trying to do some event querying using Get-WinEvent and XPath. I was successfully testing it before I left work yesterday, but today, no matter what I try, it keeps telling me that there are no matching events.
I still have the PowerShell window open from yesterday with the successful query, and even repeating the same commands via shell history is returning nothing.
I can't get any XPath queries to work. Simple example, this returns thousands of event records:
$EventFilter = @{
Logname = 'Microsoft-Windows-TaskScheduler/Operational'
ProviderName = "Microsoft-Windows-TaskScheduler"
Id = 129
}
Get-WinEvent -FilterHashtable $EventFilter -verbose
But the following claims No events were found that match the specified selection criteria.:
[xml]$XPath = @"
<QueryList>
<Query Id="0" Path="microsoft-windows-taskscheduler/operational">
<Select Path="microsoft-windows-taskscheduler/operational">*
[System/Provider[@Name='microsoft-windows-taskscheduler'] and
(System/EventID=129)]
</Select>
</Query>
</QueryList>
"@
Get-WinEvent -logname 'Microsoft-Windows-TaskScheduler/Operational' -FilterXPath $XPath
NOTE: I am NOT using invalid queries. The xml above is simply reformatted from the query (constructed and) displayed from the -verbose switch on the first one. In the end, I need to use XPath because -FilterHashtable is too limited, but I even can't get the simple XPath queries to work.
I'm starting to pull my hair out on this. What could possibly prevent this from working today when it worked before?
Thanks.
Upvotes: 0
Views: 691
Answers (2)
Reputation: 8432
There are two different (but similar) parameters you can use. The -FilterXPath one you are using requires only the filter to be supplied. So, your example should be:
$XPath = "*[System/Provider[@Name='microsoft-windows-taskscheduler'] and (System/EventID=129)]"
Get-WinEvent -logname 'Microsoft-Windows-TaskScheduler/Operational' -FilterXPath $XPath
The alternative is to use -FilterXml, which takes the full query XML you had originally (but no -LogName parameter):
$XPath = @"
<QueryList>
<Query Id="0" Path="microsoft-windows-taskscheduler/operational">
<Select Path="microsoft-windows-taskscheduler/operational">*
[System/Provider[@Name='microsoft-windows-taskscheduler'] and
(System/EventID=129)]
</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $XPath
Upvotes: 1
Reputation: 192
Are you using the ISE? Have you tried to close it out, open and rerun your script?
I've had similar weird issues with the ISE where it seemed it didn't want to let go of variables, etc and closing it out worked.
Upvotes: 0
Related Questions
- Get-WinEvent -FilterHashTable with multiple IDs in a variable not working
- EventLogPropertySelector Not Returning Extended Data From Event Object In PowerShell
- PowerShell parsing Win-Event XML
- An empty pipe element is not allowed, Get-WinEvent -FilterHashtable
- powershell: get-winevent has no message data?
- Failed to get Event-Data Field Data in PowerShell
- Powershell Get-WinEvent Xpath Query not valid
- PS using Get-WinEvent with FilterXPath and datetime variables?
- powershell Get-Winevent -FilterXML
- Powershell Get-Winevent Filterhashtable