Export Windows Logs with Precise Time

Question

I am attempting to export Windows logs using the Get-WinEvent Powershell cmdlet. The following will get me the time precision I am looking for, but this only gets me the timestamp. I need to join the timestamp to other columns that include the machine name, event id, etc.

This code gets me the precise time stamps.

  Get-WinEvent -LogName Application -MaxEvents 10 | Select-Object -Expand TimeCreated | ForEach-Object { 
$date = [DateTime]$_
$date.ToString("yyyy-MM-dd HH:mm:ss")}

The output looks like this which is what I want:

2018-12-06 08:52:28 
2018-12-06 08:52:28 
2018-12-06 08:51:32 
2018-12-06 08:51:31 
2018-12-06 08:51:31 
2018-12-06 08:51:31 
2018-12-06 08:51:31
2018-12-06 08:51:31 
2018-12-06 08:51:31 
2018-12-06 08:44:16

But I need the output to include both the precise time along with things like MachineName, EventID, LevelDisplayName, Message, etc. So in the command below, instead of "TimeCreated", I want to insert the precise time.

Get-WinEvent -LogName Application -MaxEvents 10 | Select-Object TimeCreated,Machinename,Id,LevelDisplayName,Message,Logname | ft

Thanks!

The unneccessary command `| Select-Object -Expand TimeCreated` excludes all other properties, simply remove it. To have your exact formatting for TimeCreated, use a calculated property (it's all there, but may be stripped due to your unknown locale settings when outputting) — , Dec 06 '18 at 17:37

score 1 · Accepted Answer · 2018-12-06T23:48:47.027

1

To have your exact formatting for TimeCreated, use a calculated property

Get-WinEvent -LogName Application -MaxEvents 10 |
   Select-Object @{n='TimeCreated';e={$_.TimeCreated.ToString("yyyy-MM-dd HH:mm:ss")}},
                 Machinename,Id,LevelDisplayName,Logname,Message|Format-Table -auto

For more precision you can also include fractions of seconds
(append ,f .. ,fffffff to the format string)

EDIT: I don't have your environment, but write-Host shouldn't be neccessary.

This should output the formatted CreatedTime to the csv

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-SessionBroker/Operational" `
             -ComputerName $SessionBroker -MaxEvents 150 | 
  Select-Object @{n='TimeCreated';e={$_.TimeCreated.ToString("yyyy-MM-dd HH:mm:ss")}}, 
                Machinename,Id,LevelDisplayName,Message,LogName,TaskDisplayName | 
    Export-Csv $RDSLogs\SessionBrokerOperational.csv -Append -NoTypeInformation

edited Dec 06 '18 at 23:48

answered Dec 06 '18 at 17:43

Thank you, this is perfect! That does exactly what I need it to do. I appreciate it! – GilsonRocks Dec 06 '18 at 22:33
Sorry one follow up question. I have the following line and when I "Write-Host" it works great. But when I Export-Csv the "TimeCreated" column doesn't show the precise time. It shows the original time. Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-SessionBroker/Operational" -ComputerName $SessionBroker -MaxEvents 150 | Select-Object @{n='TimeCreated';e={$_.TimeCreated.ToString("yyyy-MM-dd HH:mm:ss")}}, Machinename,Id,LevelDisplayName,Message,LogName,TaskDisplayName | Export-Csv $RDSLogs\SessionBrokerOperational.csv -Append -NoTypeInformation – GilsonRocks Dec 06 '18 at 23:37
Well, it's more like a broken follow-up comment. As you see comments are just made for comments, code without line breaks is barely readable. Editing this question to contain additional information would be better - but steal me (and others) the chance to gain reputation with another good answer. – Dec 06 '18 at 23:42

Export Windows Logs with Precise Time

1 Answers1