Powershell: How can I extract time from the message field of eventlog?

Question

I'm trying to get unexpected shutdown times of Windows Sever 2008 machines via Get-EventLog in Powershell. I can get close by searching for events with an EventID of 6008 and selecting only message, but I need to parse within the field to grab the time it occurred (not the time the event fired).

I've tried to use replacementstrings[x] but I can't find how to specify the field to use (messages) and can't get a result.

get-eventlog -LogName System -ComputerName svr-name | Where-Object {$_.EventID -eq 6008 -AND $_.timegenerated -gt (get-date).adddays(-30)}| select message

Produces this:

Message
-------
The previous system shutdown at 3:35:32 AM on ‎7/‎29/‎2014 was unexpected.
The previous system shutdown at 3:40:06 PM on ‎7/‎10/‎2014 was unexpected.`

Ansgar Wiechers · Accepted Answer · 2014-08-09T17:40:04.367

Retrieving all events from a remote host and filtering them on the local machine ususally doesn't perform too well, because that way you transmit tons of unrelated events over the network, just to throw them away. Get-EventLog has options for filtering messages by Event ID or before/after a given timestamp on the source, so better use those for pre-selecting the messages you're actually interested in. The timestamp of the crash can be extracted from the Message field with a regular expression and parsed into a DateTime value via ParseExact():

$log     = 'System'
$server  = 'svr-name'
$id      = [uint64]"0x80000000" + 6008
$date    = (Get-Date).AddDays(-30)

$fmt     = 'h:mm:ss tt on M\/d\/yyyy'
$culture = [Globalization.CultureInfo]::InvariantCulture

Get-EventLog -LogName $log -ComputerName $server -InstanceId $id -After $date | ? {
  $_.Message -match 'at (\d+:\d+:\d+ [ap]m on \d+/\d+/\d+) was unexpected'
} | select MachineName, TimeGenerated,
           @{n='Crashtime';e={[DateTime]::ParseExact($matches[1], $fmt, $culture)}}

The pipeline produces a list of objects with the properties MachineName, TimeGenerated and Crashtime (the last one being a calculated property). If you collect the output of the pipeline in a variable (e.g. $evt) you can access the Crashtime property of the third object like this:

$evt = .\script.ps1
$evt[2].Crashtime

I didn't know about the `InstanceID` filter. I found that the `EventID` doesn't necessarily correspond to `InstanceID`; in this case `EventID` `6008` = `2137489656 `. I'm still new to Powershell, and I'm having trouble following your array population on line 12 (@...). How can I call elements of this array (e.g.`$Crashtime[2]`? Thanks in advance. — kiwisan, Aug 09 '14 at 14:39
@kiwisan: ITYM 2147489656 (which is 6008 + 0x80000000). I updated my answer. — Ansgar Wiechers, Aug 09 '14 at 17:40

Jim · Answer 2 · 2014-08-08T20:26:01.720

Using regex, you can pull it out as such.

$Messages = (get-eventlog -LogName System -ComputerName svr-name | Where-Object {$_.EventID -eq 6008 -AND $_.timegenerated -gt (get-date).adddays(-30) }| select message)
$Messages | ForEach-Object { 
    $Matched = $_.Message -match "([0-9]{1,2}:.*[0-9]{4})"
    if ($Matched) {
        Write-Output "System rebooted at $($Matches[1])" 
    }
}

There might be a better way, but I do not know what :)

Example Output from my System

System rebooted at 4:34:30 PM on ‎4/‎20/‎2014
System rebooted at 1:48:38 PM on ‎1/‎21/‎2014
System rebooted at 1:37:12 PM on ‎1/‎21/‎2014
System rebooted at 1:22:01 PM on ‎1/‎21/‎2014
System rebooted at 4:41:21 PM on ‎11/‎22/‎2013

score 1 · Answer 3 · answered Apr 19 '16 at 16:12

1

More easy

get-eventlog system  | where-object {$_.EventID -eq  "6008"} | fl

answered Apr 19 '16 at 16:12

DisplayName

1,008
10
24

Powershell: How can I extract time from the message field of eventlog?

3 Answers3