Query application event log between a certain time period

Question

I am trying to query application event log for a certain time period in order to check a specific event which confirms the backup status of an application. Since the backup schedule is set between 10:00 PM and 11:00 PM, I am trying to get info about event id 18264.

I use:

gwmi -computername somename -namespace root\cimv2 -query "Select EventCode from Win32_NTLogEvent where LogFile = 'Application' and EventCode = '18264'"

Now, what happens is that I get more than one output. I want to limit the output to 1 which is based on the latest. Example; get event id for yesterday between 10 PM and 11 PM. I see a column as TimeWritten. Can someone please help? Thanks!

Answer 1

There are specific cmdlets for reading event logs, these are much easier than using WMI. Eg.

Get-WinEvent -ComputerName comp1,comp2 `
             -FilterHashtable @{LogName='application'; 
                                starttime=([datetime]::today.AddDays(-1)); 
                                endtime=([datetime]::Today);
                                id=1704}

(line breaks added for clarity)

This will return all event #1704 from computers comp1 and comp2 from yesterday. Looks at the help for Get-WinEvent's FilterHashtable parameter (get-help get-WinEvent -param FilterHashtable) for more search criteria (eg. you can pass multiple log names and ids).

There is also a -MaxEvents parameter to limit the output to a number of events.

Answer 2

You can create a custom XPath query which can be used further in PowerShell, C# to query or watch event logs.

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=18264) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
  </Query>
</QueryList>