Get-WinEvent filtering considerations?

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Post Reply
User avatar
ITEngineer
Posts: 167
Joined: Wed Oct 12, 2011 10:52 am

Get-WinEvent filtering considerations?

Post by ITEngineer » Wed Nov 06, 2019 10:52 pm

Hi,

I'd like to know when to use which filtering methods for the Get-WinEvent cmdlet?

I can see from https://docs.microsoft.com/en-us/powers ... wershell-6 there are three methods:

Code: Select all

-FilterHashtable
-FilterXPath
-FilterXml
Your assistance and explanation are appreciated.

Thanks,
/* IT Engineer */

jvierra
Posts: 13949
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Get-WinEvent filtering considerations?

Post by jvierra » Wed Nov 06, 2019 10:59 pm

XML and XPath can query with more conditions such as reading and testing multi0ple properties in the data of the event.

search for the filter names to find articles describing the use and behavior of each type of filter. Hashtable filters are simple and usable for queries that don't need to query the data in detail. Read the help and examples for all filters carefully.
Attached are some examples of XPath and XML queries.
Attachments
Eventlog-XPath-Queries.ps1
(2.59 KiB) Downloaded 5 times

jvierra
Posts: 13949
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Get-WinEvent filtering considerations?

Post by jvierra » Wed Nov 06, 2019 11:07 pm

Here is one article by the MS Directory Services Team that is a good explanation:

https://blogs.technet.microsoft.com/ask ... nt-viewer/

User avatar
ITEngineer
Posts: 167
Joined: Wed Oct 12, 2011 10:52 am

Re: Get-WinEvent filtering considerations?

Post by ITEngineer » Wed Nov 06, 2019 11:11 pm

Cool, thanks, Mr. Vierra.

So in this case, I assume there is no speed difference when using any of those three when Filtering the Event types, not the data?
/* IT Engineer */

jvierra
Posts: 13949
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Get-WinEvent filtering considerations?

Post by jvierra » Wed Nov 06, 2019 11:15 pm

There is a speed difference if you use the correct query for your needed results. If you only need what is available on the command line then that is all you need. Each method has its strengths and weaknesses. You will have to choose the correct method based on what you are trying to return. The hashtable is simplest but may end up searching the whole log to complete the query where a correctly designed XML or XPath filter can retrieve records quickly without returning unwanted records.

Another good article: https://blogs.technet.microsoft.com/kfa ... filtering/

User avatar
ITEngineer
Posts: 167
Joined: Wed Oct 12, 2011 10:52 am

Re: Get-WinEvent filtering considerations?

Post by ITEngineer » Thu Nov 07, 2019 5:16 am

Yes, that does make sense.

However, since Xpath and XML is rather hard to build or type / compile, is there any helper or way to create it ?
/* IT Engineer */

jvierra
Posts: 13949
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Get-WinEvent filtering considerations?

Post by jvierra » Thu Nov 07, 2019 5:23 am

The articles linked show you how to use the wizard to create XPath queries. In the end the syntax is so simple that an elementary school kid can learn it in an afternoon. XML makes this trivial. The articles show the few oddities that are not obvious at first.

The XPath is a simple two level structure that simply defines the path to the values and a simple matching mechanism that uses "=","<=",">-",
!=".
An hour of reading and experimenting will give you a very powerful tool.

Post Reply