Problem
You want to find the event log entries that occur most frequently.
Solution
To find event log entries by frequency, use the GetEventLog cmdlet to retrieve the entries in the event log, and then pipe them to the GroupObject cmdlet to group them by their message.
PS >GetEventLog System | GroupObject Message
Count Name Group
23 The Background Intelli... {LEEDESK, LEEDESK, LEEDESK, LEEDESK... 23 The Background Intelli... {LEEDESK, LEEDESK, LEEDESK, LEEDESK...
3 The Logical Disk Manag... {LEEDESK, LEEDESK, LEEDESK}
3 The Logical Disk Manag... {LEEDESK, LEEDESK, LEEDESK}
3 The Logical Disk Manag... {LEEDESK, LEEDESK, LEEDESK} 161 Driver Microsoft XPS D... {LEEDESK, LEEDESK, LEEDESK, LEEDESK... (...)
Discussion
The GroupObject cmdlet is a useful way to determine which events occur most frequently on your system. It also provides a useful way to summarize the information in the event log.
If you want to learn more information about the items in a specific group, use the WhereObject cmdlet. Since we used the Message property in the GroupObject cmdlet, we need to filter on Message in the WhereObject cmdlet. For example, to learn more about the entries relating to the Microsoft XPS Driver (from the scenario in the solution):
PS >GetEventLog System | >> WhereObject { $_.Message like "Driver Microsoft XPS*" } >>
Index Time
Type Source
EventID Message
2917 May 06 09:13
Erro TermServDevices
1111 Driver Microsoft...
2883 May 05 10:40
Erro TermServDevices
1111 Driver Microsoft...
2877 May 05 08:10
Erro TermServDevices
1111 Driver Microsoft...
(...)
If grouping by message doesn’t provide useful information, you can group by any other property—such as source:
PS >GetEventLog Application | GroupObject Source
Count Name
Group
4 Application
{LEEDESK, LEEDESK, LEEDESK, LEEDESK}
191 Media Center Scheduler
{LEEDESK, LEEDESK, LEEDESK, LEEDESK...
1082 MSSQL$SQLEXPRESS
{LEEDESK, LEEDESK, LEEDESK, LEEDESK...
(...)
If you’ve listed the items in an event log or searched it for entries that have a message with specific text, you often want to get more details about a specific event log entry.
By default, PowerShell’s default table formatting displays a summary of event log entries. If you are retrieving a specific entry, however, you are probably interested in seeing more details about the entry. In this case, use the FormatList cmdlet to format these entries in a more detailed list view, as shown in Example 205.
Example 205. A detailed list view of an event log entry
PS >GetEventLog System | WhereObject { $_.Index –eq 2917 } | >> FormatList >>
Index : 2917 EntryType : Error EventID : 1111 Message : Driver Microsoft XPS Document Writer required for pri
nter Microsoft XPS Document Writer is unknown. Contac t the administrator to install the driver before you log in again.
Category : (0) CategoryNumber : 0 ReplacementStrings : {Microsoft XPS Document Writer, Microsoft XPS Documen
t Writer} Source : TermServDevices TimeGenerated : 5/6/2007 9:13:31 AM TimeWritten : 5/6/2007 9:13:31 AM UserName :
For more information about the GetEventLog cmdlet, type GetHelp GetEventLog. For more information about the GroupObject cmdlet, type GetHelp GroupObject.
