Get event logs and count warnings

Question

(Get-EventLog -LogName System | Where-Object {$_.EntryType -eq "Warning"}).count

If I run the command, it returns all warnings, but I only want to extract the count for only 4 event IDs for example 1006,1007,455 and 6003. Could someone help me in this case?

Answer 1

Get-Event with FilterHashtable does the job:

(Get-WinEvent -FilterHashtable @{ logname = 'System'; Level = 3; Id = 1006,1007,455,6003 }).count

Level values:

Comment(or Verbose)  5
Information          4
Warning              3    [int][System.Diagnostics.Eventing.Reader.StandardEventLevel]::Warning
Error                2
Critical             1
LogAlways            0

or create an object

 $Event = @{
 Warning = [int][System.Diagnostics.Eventing.Reader.StandardEventLevel]::Warning
 Error = [int][System.Diagnostics.Eventing.Reader.StandardEventLevel]::Error
 }

$Event.Warning gives the value 3

Answer 2

You can use below command to get the result you want:

 (Get-EventLog -LogName System | Where-Object {$_.EntryType -eq "Warning"} | Where-Object {$_.InstanceId -like "1006" -or $_.InstanceId -like "1007" -or $_.InstanceId -like "455"} -or $_.InstanceId -like "6033"}).count

The result to will get the count of InstanceId's you provided.

Option 2 - If you want to find count for records from last 2 hours then use below command:

 (Get-EventLog -LogName System -After (Get-Date).AddHours(-2) | Where-Object {$_.EntryType -eq "Warning"} | Where-Object {$_.InstanceId -like "1006" -or $_.InstanceId -like "1007" -or $_.InstanceId -like "455"} -or $_.InstanceId -like "6033"}).count