Hey everyone! I'm trying to pull up Event IDs in PowerShell that match a specific keyword. Specifically, I want to retrieve Event ID 654 if it contains the keyword 'CMP.domain'. However, my current script only returns the most recent entry dated Aug 08 at 13:16. I'd like to get the last two events containing this keyword. Here's what I have so far:
```powershell
$search = "CMP.DOMAIN"
Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 2 |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) }
```
But the output only shows one event. My desired output is to see both recent events that contain the keyword. Can anyone suggest how I can achieve this?
5 Answers
If you want to modernize your script a bit, consider using `Get-WinEvent`. It’s more efficient and provides better filtering options over `Get-EventLog`. Using a filter hashtable could streamline your search. Here's a quick example:
```powershell
Get-WinEvent -FilterHashtable @{
LogName = 'Application'
ProviderName = 'Directory Synchronization'
ID = 654
} |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) } |
Select-Object -First 2
```
This should give you a cleaner output and better performance!
Another thing to try is adjusting your approach a little. Instead of limiting the results beforehand, you can directly filter after retrieving a larger dataset. Just keep in mind that you may need to tweak the limit based on your log size:
```powershell
Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) } |
Select-Object -First 2
```
This way, you can ensure you catch those entries you're hunting for!
Absolutely recommended shifting to `Get-WinEvent` for better filtering options. The use of filter hashtables can make your code much cleaner and easier to read:
```powershell
Get-WinEvent -FilterHashtable @{
LogName = 'Application'
ProviderName = 'Directory Synchronization'
ID = 654
} |
Where-Object { $_.Message -like '*CMP.DOMAIN*' } |
Select-Object -First 2
```
This could improve the performance of your script!
It's worth noting that event logs can sometimes be tricky with filtering. If you really want accuracy and efficiency, the combination of `Get-WinEvent` with its advanced filtering parameters might save you a lot of time. Have you thought about checking against keywords or using `-FilterXPath`? Just saying it could give you what you need very quickly!
Your first issue is that when you run `Get-EventLog` with the `-Newest 2` parameter, you're limiting the results to the last two entries, which might not both contain 'CMP.DOMAIN'. I'd suggest fetching more entries and then filtering them. Try this approach instead:
```powershell
Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -Newest 10 |
Where-Object { $_.Message.ToUpperInvariant().Contains($search.ToUpperInvariant()) } |
Select-Object -First 2
```
This way, you'll increase your chances of getting those two entries you're looking for!
Yeah, that's a great tip! Just remember, the more entries you gather initially, the more relevant results you might get.
Also, don’t forget to check out the XML properties for more potential filtering options!