Scheduled task parameter

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 6 years and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Scheduled task parameter

Post by obrienc »

I am writing a script to run a scheduled task on an event ID. There are 5 servers involved. 4 of them are hyper-v nodes that forward and event ID to a collector. The script then runs against the node from the collector to set some VM settings.

I want to pull out the nodename sending the event and inject it into the scheduled task. The other option is to create 4 custom views for each node and run the same script only replacing the -ComputerName which seems too redundant. And when we open it up to all clusters it could be hundreds. I'm not creating hundreds of scheduled tasks only replacing computername!

Code: Select all

Get-WinEvent -ComputerName myNode.blah.com -LogName $logname|where {$_.Id -eq $logid}|Select -First
If I get-winevent "forwardedevents" on the collector it doesnt display the message, and I need to parse it. You can see the msg from the gui but powershell doesnt return it. Only timestamp and id.

I see in custom views there is a xml property for the computer name but can't seem to pull it out

Code: Select all

<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(Computer='MyNode') and (Level=4 or Level=0) and (EventID=xxxx)]]</Select>
  </Query>
</QueryList>
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

To extract the xml you need to use "ToXml()" on each event. The easiest way is to do this.

[xml]$events = Get-WinEvent ... | %{$_.ToXml()

Now you can use the XML object to extract all properties.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

Here is a more complete example:

Code: Select all

$events = Get-WinEvent @{ LogName = 'application'; ID = 17137 } -MaxEvents 10 | ForEach-Object{ $_.ToXml() }
[xml]$xml = "<Events>$events</Events>"
$xml.Events.Event.System
$xml.Events.Event.EventData
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Scheduled task parameter

Post by obrienc »

Thank you. Would there be some difference other than method between extracting the message and parsing it vs parsing the xml? I ask because if I parse the xml to get a VM name and save it to a variable it shows System.String. If I do the same from a message it says System.String but the variable from the xml wont work with get-scvirtualmachine.

This is what I came up with to parse the XML
## this gets me the vm from the forwarded events ##

Code: Select all

$event = Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 1
[xml]$xmlEvent = $event.ToXml()
$q = ($xmlevent.Event.EventData.Data -split '[\r\n]')
$ph = $q[0] -split 'to '
$vm = $ph[0]
$node = $ph[1]
$vmfqdn = $q[1]
$vm outputs the vm name as System.String but when I try to use it with

Code: Select all

Get-SCVirtualMachine -VMMServer myvmmserver -Name $VM
it fails even though $vm is showing correct

Now if I try parsing the message like this.
### gets me the node ###

Code: Select all

$event = Get-WinEvent -LogName "ForwardedEvents" -MaxEvents 1
[xml]$xmlEvent = $event.ToXml()
$q = ($xmlevent.Event.EventData.Data -split '[\r\n]')
$ph = $q[0] -split 'to '
$node = $ph[1]

## goes to the node and grabs the latest event ##
$logid = 6101
$logname = "Application"
$string = Get-WinEvent -ComputerName $node -LogName $logname|where {$_.Id -eq $logid}|Select -First 1
$string = $string |Select -ExpandProperty Message

## get the vm name from the log message ## 
$arr = $string -split ('"')
$y = $arr[1]
$z = $y.Split(' ')
$vm = $z[0]
$vm outputs the vm name as System.String
This works

Code: Select all

Get-SCVirtualMachine -VMMServer myvmmserver -Name $VM
Thanks.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

You have to reference the data elemt that contains the VM name.

Post the XML from one event and I will show you how to get it. We don't use string parsing with XML.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

This is how to get events by ID:

Get-WinEvent @{Logname='Application';ID=6101}

You method returns the whole event log every time. Using the filter selects only the ID wanted.

The "Message" is not available on events sent to a collector. In your case it is not needed.
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Scheduled task parameter

Post by obrienc »

Code: Select all

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Double-Take Management Service" />
    <EventID Qualifiers="16384">6101</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-07-19T16:05:49.870267100Z" />
    <EventRecordID>12761</EventRecordID>
    <Channel>Application</Channel>
    <Computer>myHyper-V.Node</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MyVM to myHyper-V.Node</Data>
    <Data>10.83.72.138</Data>
    <Data>31453bb6-bd50-4b84-8485-314fd7001057</Data>
  </EventData>
  <RenderingInfo Culture="en-US">
    <Message>The job "MyVM to myHyper-V.Node" (ID 31453bb6-bd50-4b84-8485-314fd7001057) has successfully completed provisioning a replica for 10.83.72.138.</Message>
    <Level>Information</Level>
    <Task>
    </Task>
    <Opcode>
    </Opcode>
    <Channel>
    </Channel>
    <Provider>
    </Provider>
    <Keywords>
      <Keyword>Classic</Keyword>
    </Keywords>
  </RenderingInfo>
</Event>
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Scheduled task parameter

Post by obrienc »

The exact reason you stated is why I started down the xml path. On the collector I couldn't see the message to parse and that is where I want to trigger the script from, a scheduled task
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

I need the XML from the collection server not the sending server.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Scheduled task parameter

Post by jvierra »

Here is the likely location of the names:

$xml.Events.Event.EventData.Data[0] # Node name to Node server insert
$xml.Events.Event.EventData.Data[1] # ipaddress


For multiple events in the collection use the index

$xml.Events.Event[0].EventData.Data[0]
$xml.Events.Event[0].EventData.Data[1]
This topic is 6 years and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked