0

i am trying to Filter out some EventIDs from Get-Event log like this :

...More code here
Get-EventLog -LogName $_ -EntryType Warning,Error | 
Where-Object {$_.EventID -ne '0|1|2|3|4|7|8|9|10|14|15|17...'}

However i am running into trouble with the comparator, using -ne simply does not Filter anything out, and if i use -notmatch, it returns only one result, and i have confirmed there are a lot that it's skipping. Not sure what i am missing and why it's -ne is not working at all, any help is appreciated! Thanks a lot in advance !

bill pi
  • 1
  • I guess you want to use `-in 0,1,2, ...` – zett42 Feb 18 '21 at 09:21
  • Hey, that did it, thank you ! I had tried -notin before but it didn't occur to me to separate it with , and it didn't work but also did not give me an error.. – bill pi Feb 18 '21 at 09:32
  • 1
    Get-Eventlog is terrible slow. You might want to use Get-WinEvent for speedy results. Here is a small example of a script I made to create an overview of users logon (Eventid 2) and logoff (Eventid 3) for the last 30 days. Get-WinEvent -FilterHashtable @{logname = "Microsoft-Windows-User Profile Service/Operational"; id = 2, 3; StartTime = (Get-Date).AddDays(-30) }. This should get you in the right direction – Peter the Automator Feb 18 '21 at 09:36
  • Yeah i am realizing now it's taking quite a while..But i need to filter EventIDs out and get-winevent seems to need to go into xml Properties ( like get-eventlog Replacements Strings ) to do that. I will see if i can't manage the waiting though, thank you ! – bill pi Feb 18 '21 at 10:28

1 Answers1

1

Your current code:

$_.EventID -ne '0|1|2|3|4|7|8|9|10|14|15|17...'

is currently checking if the ID is literally 0|1|2|3|4|7|8|9|10|14|15|17....

To check if the ID is one of the values specified, you need to use -in operator, as suggested in the comments:

$_.EventID -in @(0, 1, 2, 3)

For future reference, please check about_Comparison_Operators from PowerShell documentation.

Robert Dyjas
  • 4,979
  • 3
  • 19
  • 34