1

I have made a powershell script which is as below but since I won't be able to save it in .evtx format. I want the wevtutil equivalent(using wevtutil epl) for the same.Please help!

$ErrorTime=Get-WinEvent -FilterHashtable @{
  Logname      = 'Application'
  ID           = 1000
  ProviderName = 'Application Error'
} -MaxEvents 1 | select Select-Object -Expand TimeCreated

$Start_Time = ($ErrorTime).addhours(-2)
$End_Time = ($ErrorTime).addhours(2)

Get-WinEvent -FilterHashtable @{
     Logname='Application','System','Security' 'Setup' 
     StartTime=$Start_Time
     EndTime =$End_Time}

Just to tell what the script is doing. It is getting the timestammp for the last application error 1000 occurred,adding and subtracting two hours to that timestamp and then querying application system security and setup between those times.

I need something like this

wevtutil epl Application where time >= $Start_Time and time <= $End_Time

Please help.

0

You can use XPath to make specific event queries, with many event tools (Event MMC, Powershell, and Wevtutil). I'm comfortable with XML structures in other cases, SCOM management packs, HTML, etc, but I find XPath a little harder to get just right. A few points to remember are that:

  1. You need to make the query with Universal time because that's how the event subsystem records time. Time also needs to formatted as sortable ISO 8601 like 2016-01-10T18:47:34.
  2. You need to surround the time in single quotes for the query, and also escape those quotes for powershell, because powershell treats things within un-escaped single quotes as literals, which meanns variables within single quotes are not expanded unless escaped.
  3. Other times I've used XPath, it required greater/less than as &gt ; / &lt ; but here that would not work. Only the actual > < symbols worked.
  4. The beginning of the Xpath query contains "System", this does NOT refer to the event log type, it refers to the System branch of the event XML (screen shot below for an event from the Application log)

Sample

$time1 = ((get-date).toUniversalTime()).addHours(-22)
$time2 = ((get-date).toUniversalTime()).addHours(-24)
$newest = get-date($time1) -f s
$oldest = get-date($time2) -f s
$newest
$oldest
foreach ($logName in "Application Security System Setup".split(" ")) {
    WEVTUTIL.EXE EPL $logName "C:\temp\my$logName.evtx" "/q:*[System[TimeCreated[@SystemTime<=`'$newest`' and @SystemTime>=`'$oldest`']]]" /ow:true
}

eventXML

| | |

Not the answer you're looking for? Browse other questions tagged or ask your own question.