如何在powershell中将对象分组*几乎相同?

时间:2013-10-16 14:23:43

标签: powershell group-by

我正在尝试使用以下内容获取事件日志中的事件计数:

get-eventlog application -Entrytype Error -After (Get-Date).AddDays(-7)  | group-object -property eventID, source, message

但是,由于某些事件消息的消息中存在时间戳,因此它们无法正确分组。 (从技术上讲,他们“做”组合正确,但我想要计算所有这些。)

举个例子,有这个错误:

3221241857 Failed to schedule Software Protection service for re-start at 2113-09-21T21:37:24Z. Error Code: 0x80041316.

我希望对所有这些进行分组,以便在一行中计算所有这些,而不是每个错误的一行,因为它将消息视为唯一,因为时间戳不同。

我可以使用正则表达式删除时间戳吗?不知道如何在PS中这样做。

为了说明这一点,我目前得到:

    Name   : 489, ESENT, taskhostex (1560) An attempt to open the file "C:\Users\xxxx\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because 
             it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
    Count  : 12
    Group  : {System.Diagnostics.EventLogEntry}
    Values : {489, ESENT, taskhostex (1560) An attempt to open the file "C:\Users\xxxx\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because 
             it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).}

    Name   : 16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T15:41:11Z. Error Code: 0x80041316.
    Count  : 1
    Group  : {System.Diagnostics.EventLogEntry}
    Values : {16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T15:41:11Z. Error Code: 0x80041316.}

    Name   : 16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T20:03:35Z. Error Code: 0x80041316.
    Count  : 1
    Group  : {System.Diagnostics.EventLogEntry}
    Values : {16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T20:03:35Z. Error Code: 0x80041316.}

但是底层错误应归为一类。

1 个答案:

答案 0 :(得分:1)

您可以添加仅用于分组的属性:

get-eventlog application -Entrytype Error -After (Get-Date).AddDays(-7)  |
 foreach { $_ | Add-Member Noteproperty -Name GrpMsg -Value ($_.Message -replace '[0-9T:-]+z','') -PassThru} |
 group-object -property eventID, source, GrpMsg
相关问题
最新问题