PowerShell脚本中的WMI事件过滤器查询

时间:2018-08-24 14:25:12

标签: powershell wmi wql

我正在尝试使用别人编写的PowerShell脚本将两个不同的WMI事件添加到SCCM服务器。我必须将两个事件查询合并为一个查询,但不确定如何做到最好。到目前为止,我已经尝试了多种方法。这是代码:

Function WMI-InstanceFilter
{
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

$PropertyHash = @{
    QueryLanguage = "WQL";
    Query = "";
    Name = "Name";
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop

这是我需要以某种方式组合并放入查询行的两个事件查询:

SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"

SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"

什么是最好的方法?

1 个答案:

答案 0 :(得分:1)

您正在处理查询中的WQL,并且只能有一个WITHIN值-请参见https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/within-clause,因此您必须选择300(秒= 5分钟)或900(秒= 15分钟) )或它们之间某个位置的折衷值。

您组合的SELECT语句将如下所示

SELECT * FROM __InstanceOperationEvent WITHIN 900 WHERE TargetInstance ISA 'SMS_Package' AND TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'

将WITHIN值更改为最适合您的需求。

您是否同时需要驱动器和BIOS,还是可以使用参数驱动的switch语句在它们之间进行交换?

类似这样的东西

Function WMI-InstanceFilter {
[CmdletBinding()]
param (
  [ValidateSet('Bios', 'Drivers' )]
  [string]$InstanceType
)

# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

switch ($InstanceType) {
 'Bios' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
        }
  'Drivers' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
        }
}

$PropertyHash = @{
    QueryLanguage = "WQL"
    Query = $query
    Name = "Name"
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
}