Long pause waiting for prompt to return following query of Windows Event Log

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
EBrant
Posts: 99
Joined: Thu Feb 02, 2012 1:51 am

Long pause waiting for prompt to return following query of Windows Event Log

Post by EBrant » Tue Feb 19, 2013 6:31 am

Hello All

Can someone please enlighten me of a what is going on here and hopefully a way to resolve it.

no matter which way I query the Windows Event Log i.e.

Get-WmiObject -Query "select * from win32_NTLogEvent where LogFile = 'Application' AND TimeGenerated >= '20130219 18:40:00'" -computername Remote1

Get-EventLog -LogName Application -EntryType Warning,Error -After "19/02/2013 18:40:00" -Computername Remote1

i get the events OK, i.e. lets say there are 5 events I get all 5 but then I have to wait what seems like a age for the prompt to return. It is as if, PowerShell is still processing the rest of the log, event though the time stamps on the entries in the log are out of scope.

So does any one know if PowerShell/WMI will parse the whole log in any event while applying the time date filter. I was hoping as the log is date ordered as soon as it say a date which was out of range to would stop there and then and return the prompt.

I guess I would look at running -asjob but just wanted to know if I am missing some thing.

I will take a look a get-winEvent but somethings tells me this is unlikley to be faster than WMI (indeed does get-WinEvent use WMI under the hood?)

Thanks all
Ernie

User avatar
jvierra
Posts: 13793
Joined: Tue May 22, 2007 9:57 am
Contact:

Long pause waiting for prompt to return following query of Windows Event Log

Post by jvierra » Tue Feb 19, 2013 9:00 am

Yes - both methods scan the whole log.
Get-WinEvent doews not use WMI but uses the newer extended EventLog API.
Get-WinEvent can be faster in many scenarios.

A test for absolute speed would add -Newest 1 to a query.

User avatar
EBrant
Posts: 99
Joined: Thu Feb 02, 2012 1:51 am

Long pause waiting for prompt to return following query of Windows Event Log

Post by EBrant » Tue Feb 19, 2013 5:59 pm

Thanks Jim,
I better get used to using get-winEvent

All the best
Ernie

Locked