1

I have the following code which enumerates all event log sources and grabs the last few days worth of errors and warnings.

Get-WinEvent -ListLog * -EA silentlycontinue | 
  Where-Object { $_.recordcount } | 
    ForEach-Object { 
      Get-WinEvent -FilterHashTable @{LogName=$_.logname; 
                                      StartTime=(get-date).AddDays(-5) } –MaxEvents 1000 | 
        Where-object {$_.LevelDisplayName -like 'Error' -OR 
                      $_.LevelDisplayName -like 'Warning'} 
    }

It currently sorts by log name and then lists all the relevant entries line by line underneath.

ProviderName: Microsoft-Windows-DNS-Server-Service
TimeCreated                     Id LevelDisplayName Message                                                                                                                  
-----------                     -- ---------------- -------                                                                                                                  
11/29/2018 9:08:57 AM         4013 Warning          The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of t...
11/28/2018 8:39:35 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:34:07 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:28:39 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:23:11 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

I'd like to modify the code so that it continues to group by the log provider name, but underneath I'd like it to summarize by count each unique entry. The output will exclude the date, but will list the Id, Level, Message and a new "count" attribute listing the number of times that Id occurred.

Count      Id   LevelDisplayName     Message                                                                                                                  
--------  ----  ----------------   ------------------   
4         4015    Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

I'm unable to get the result I'm looking for. Any suggestions?

Sentient
  • 11
  • 2
  • If you **want** help, why do your cram your script in a one liner nobody can read/understand on first view? To group data, well I suggest to use `Group-Object` cmdlet. –  Nov 29 '18 at 18:06
  • Fair comment, I edited the code. I'm sure the answer does include using Group-Object but I'm not getting the output I'm looking for when I do it. – Sentient Nov 29 '18 at 18:15

1 Answers1

0

I think this is most of what you want.. I had to assume you wanted the count per "log/provider" and that you wanted the warnings and errors in a separate count. I put the results in a custom object which you could change from the custom object to suit your needs. 

     $b = Get-WinEvent -ListLog * -EA silentlycontinue | Where-Object { $_.recordcount } 
ForEach ($a in $b) { 
$result = Get-WinEvent -ErrorAction SilentlyContinue -FilterHashTable @{LogName=$a.logname; StartTime=(get-date).AddDays(-5) } –MaxEvents 1000  | where-object {$_.LevelDisplayName -like 'Error' -OR $_.LevelDisplayName -like 'Warning'} 
$id=$result | Select-Object -unique id
$Provider = $result.providerName | select -Unique
    foreach($i in $id) 
    { 
        foreach($p in $Provider)
        {
            ($result | Where-Object{$_.id -eq $i.id})
            $filler=($result | Where-Object{$_.id -eq $i.id})[0] 
            $errorcount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Error"}).count
            $warningCount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Warning"}).count
            [pscustomObject]@{
                'Provider' = $p
                'ErrorCount' = $errorcount
                'WarningCount' = $warningCount
                'Id' = $filler.Id
                'Message' = $filler.Message
            }
        }
    }
}
Thom Schumacher
  • 1,469
  • 13
  • 24
  • This doesn't seem to work for me. It doesn't display the custom object you create and lists IDs which are the same repeatedly. I'll look into how to display the object. – Sentient Dec 01 '18 at 15:15
  • when I first posted this I had errors where it would print the same thing over and over again. about 10 minutes later I fixed it with an edit. – Thom Schumacher Dec 04 '18 at 23:08