How can I query windows server events between two times of any day? I have tried with PowerShell...
Get-EventLog -Logname xxxx -After 04:00:00 -Before 04:00:30
...but just returns today's events
Asked
Active
Viewed 3,136 times
2
1 Answers
2
To find events between two times at any day we'll want to use a regex. Example code to find any event that happened between 04:00:00 and 04:29:59 of any day in the System log:
Get-EventLog -LogName System | ?{$_.TimeGenerated -match "04:[0-2][0-9]:[0-5][0-9]"}
Mikael H
- 4,868
- 2
- 8
- 15
-
Thanks Mikael, but how can I ask the same query for ANY day (if possible) in an elegant way? – jreinap Jan 28 '19 at 11:37
-
Initial reply updated to actually answer the question. – Mikael H Jan 28 '19 at 13:14
-
@MikaelH, That's great. Can you explain more about the regex part (`04:[0-2][0-9]:[0-5][0-9]`)? for example if my time range is `04:00:55 - 05:12:03` then how to modify the regex? – AlirezaK Jan 29 '19 at 06:09
-
@Tom, Each bracket represents the allowed range for a single character in the TimeGenerated field. For the first example given, I knew that we'll always want to look within hour number 4, i.e. "04". To also include events from hour number 5, we'd replace "04:" with "0[4-5]:". The next part of your request gets significantly more hairy: We'd need to program our "where" query ("?") to include only the last five seconds of the minute "4:00:", and only the first three seconds of the minute "5:12:".I'd define these non-general qualifications in "or", or "and not" clauses next to the main one. – Mikael H Jan 29 '19 at 09:02
-
@Tom, Just to illustrate my point, the first part of your query would look something like this: Get-EventLog -LogName System | ?{$_.TimeGenerated -match "04:00:5[5-9]" -or $_.TimeGenerated -match "04:0[1-9]:\d\d" -or $_.TimeGenerated -match "04:[1-5][0-9]:\d\d"} – Mikael H Jan 29 '19 at 09:15
-
@Tom, Someone who is more fluent in regex could probably shorten that to a lovely unreadable chunk-o-chars, but I'm a simple man. :) – Mikael H Jan 29 '19 at 09:18