Get-WinEvent filtering considerations?

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 4 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Get-WinEvent filtering considerations?

Post by ITEngineer »

Hi,

I'd like to know when to use which filtering methods for the Get-WinEvent cmdlet?

I can see from https://docs.microsoft.com/en-us/powers ... wershell-6 there are three methods:

Code: Select all

-FilterHashtable
-FilterXPath
-FilterXml
Your assistance and explanation are appreciated.

Thanks,
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Get-WinEvent filtering considerations?

Post by jvierra »

XML and XPath can query with more conditions such as reading and testing multi0ple properties in the data of the event.

search for the filter names to find articles describing the use and behavior of each type of filter. Hashtable filters are simple and usable for queries that don't need to query the data in detail. Read the help and examples for all filters carefully.
Attached are some examples of XPath and XML queries.
Attachments
Eventlog-XPath-Queries.ps1
(2.59 KiB) Downloaded 134 times
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Get-WinEvent filtering considerations?

Post by jvierra »

Here is one article by the MS Directory Services Team that is a good explanation:

https://blogs.technet.microsoft.com/ask ... nt-viewer/
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Re: Get-WinEvent filtering considerations?

Post by ITEngineer »

Cool, thanks, Mr. Vierra.

So in this case, I assume there is no speed difference when using any of those three when Filtering the Event types, not the data?
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Get-WinEvent filtering considerations?

Post by jvierra »

There is a speed difference if you use the correct query for your needed results. If you only need what is available on the command line then that is all you need. Each method has its strengths and weaknesses. You will have to choose the correct method based on what you are trying to return. The hashtable is simplest but may end up searching the whole log to complete the query where a correctly designed XML or XPath filter can retrieve records quickly without returning unwanted records.

Another good article: https://blogs.technet.microsoft.com/kfa ... filtering/
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Re: Get-WinEvent filtering considerations?

Post by ITEngineer »

Yes, that does make sense.

However, since Xpath and XML is rather hard to build or type / compile, is there any helper or way to create it ?
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Get-WinEvent filtering considerations?

Post by jvierra »

The articles linked show you how to use the wizard to create XPath queries. In the end the syntax is so simple that an elementary school kid can learn it in an afternoon. XML makes this trivial. The articles show the few oddities that are not obvious at first.

The XPath is a simple two level structure that simply defines the path to the values and a simple matching mechanism that uses "=","<=",">-",
!=".
An hour of reading and experimenting will give you a very powerful tool.
This topic is 4 years and 4 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked