Search code examples
powershellevent-log

Using Powershell to Filter Event Logs for Both Day and Time

I am trying to use Powershell to pull system event logs for a specific set of event IDs (including shutdown and start events) for the past week while excluding a specific window of time each day which is used for scheduled reboots (and therefore are not going to be relevant shutdown and start events for the data I am trying to collect).

I can filter the events for the past 7 days:

$fileDate = Get-Date -UFormat "%Y-%m-%d"
$logDate = (Get-Date).AddDays(-7)
Foreach ($Computer in $C) 
    {
    $Computer;
    Get-WinEvent -Computername $Computer -FilterHashtable @{logname='System'; id=12,13,27,33; StartTime=$logDate} | Format-Table -AutoSize -Wrap | Out-String -Width 4096 > "$env:userprofile\Desktop\$env:computername-$fileDate.txt"
    }

This will include all events for those 7 days, including the ones associated with the reboot window each day, which I do not want.

I can filter the events to exclude my specified time window:

$fileDate = Get-Date -UFormat "%Y-%m-%d"
Foreach ($Computer in $C) 
    {
    $Computer;
    Get-WinEvent -Computername $Computer -FilterHashtable @{logname='System'; id=12,13,27,33; StartTime="00:00"; EndTime="04:00"} | Format-Table -AutoSize -Wrap | Out-String -Width 4096 > "$env:userprofile\Desktop\$env:computername-$fileDate.txt"
    Get-WinEvent -Computername $Computer -FilterHashtable @{logname='System'; id=12,13,27,33; StartTime="05:00"; EndTime="23:59"} | Format-Table -AutoSize -Wrap | Out-String -Width 4096 >> "$env:userprofile\Desktop\$env:computername-$fileDate.txt"
    }

This will filter out the hour window I don't want to see events for, but will only capture events for the current day.

I have not figured out a good way to combine these two in order to pull 7 days' worth of logs while excluding the 1 hour window I want ignored. I searched around but couldn't find something indicating exactly what I was looking for. If I missed it in my searches, please point me in the right direction.

Solution

  • How about adding where-object( "?{}" part ) to the result like this? 

    Get-WinEvent -Computername $Computer -FilterHashtable @{logname='System'; id=12,13,27,33; StartTime=$logDate} |`
?{ (($_.TimeCreated.Hour -ge 00) -AND ($_.TimeCreated.Hour -lt 04)) -OR`
   (($_.TimeCreated.Hour -ge 05) -AND ($_.TimeCreated.Hour -le 23))} | `
Format-Table -AutoSize -Wrap |`
Out-String -Width 4096 >> "$env:userprofile\Desktop\$env:computername-$fileDate.txt"

    Or if you want to exclude anything that happened during 04:00 - 05:00, maybe this is simpler

    Get-WinEvent -Computername $Computer -FilterHashtable @{logname='System'; id=12,13,27,33; StartTime=$logDate} |`
?{ $_.TimeCreated.Hour -ne 04} | `
Format-Table -AutoSize -Wrap |`
Out-String -Width 4096 >> "$env:userprofile\Desktop\$env:computername-$fileDate.txt"