分组事件日志条目并计数错误

时间:2018-11-29 17:22:01

标签: powershell event-log get-eventlog get-winevent

我有以下代码枚举了所有事件日志源,并掌握了最近几天的错误和警告。

Get-WinEvent -ListLog * -EA silentlycontinue | 
  Where-Object { $_.recordcount } | 
    ForEach-Object { 
      Get-WinEvent -FilterHashTable @{LogName=$_.logname; 
                                      StartTime=(get-date).AddDays(-5) } –MaxEvents 1000 | 
        Where-object {$_.LevelDisplayName -like 'Error' -OR 
                      $_.LevelDisplayName -like 'Warning'} 
    }

它目前按日志名称排序,然后在下面逐行列出所有相关条目。

ProviderName: Microsoft-Windows-DNS-Server-Service
TimeCreated                     Id LevelDisplayName Message                                                                                                                  
-----------                     -- ---------------- -------                                                                                                                  
11/29/2018 9:08:57 AM         4013 Warning          The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of t...
11/28/2018 8:39:35 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:34:07 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:28:39 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:23:11 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

我想修改代码,使其继续按日志提供程序名称分组,但是在下面,我希望通过对每个唯一条目进行计数来进行总结。输出将排除日期,但将列出Id,Level,Message和一个新的“ count”属性,其中列出了ID发生的次数。

Count      Id   LevelDisplayName     Message                                                                                                                  
--------  ----  ----------------   ------------------   
4         4015    Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

我无法获得想要的结果。有什么建议吗?

1 个答案:

答案 0 :(得分:0)

我认为这是您想要的大部分。.我不得不假设您想要每个“日志/提供程序”的计数,并且您希望警告和错误在一个单独的计数中。我将结果放在一个自定义对象中,可以根据需要将其更改为自定义对象。 

     $b = Get-WinEvent -ListLog * -EA silentlycontinue | Where-Object { $_.recordcount } 
ForEach ($a in $b) { 
$result = Get-WinEvent -ErrorAction SilentlyContinue -FilterHashTable @{LogName=$a.logname; StartTime=(get-date).AddDays(-5) } –MaxEvents 1000  | where-object {$_.LevelDisplayName -like 'Error' -OR $_.LevelDisplayName -like 'Warning'} 
$id=$result | Select-Object -unique id
$Provider = $result.providerName | select -Unique
    foreach($i in $id) 
    { 
        foreach($p in $Provider)
        {
            ($result | Where-Object{$_.id -eq $i.id})
            $filler=($result | Where-Object{$_.id -eq $i.id})[0] 
            $errorcount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Error"}).count
            $warningCount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Warning"}).count
            [pscustomObject]@{
                'Provider' = $p
                'ErrorCount' = $errorcount
                'WarningCount' = $warningCount
                'Id' = $filler.Id
                'Message' = $filler.Message
            }
        }
    }
}
相关问题
最新问题