[PowerShell每日技巧]从多个事件日志中获取报错的事件信息(20131230)

DAIC

Get-EventLog can read events only from one event log at a time. If you want to find events in multiple event logs, you can append array information, though:

1. $events = @(Get-EventLog -LogName System -EntryType Error)
   
2. $events += Get-EventLog -LogName Application -EntryType Error
   
3. 
   
4. $events

复制代码

In these cases, it might be easier to use WMI in the first place - which can query any number of event logs at the same time.

This will get you the first 100 error events from the application and system log (cumulated, so if the first 100 errors are in the application log, no system log errors will be reported, of course):

1. Get-WmiObject -Class Win32_NTLogEvent -Filter 'Type="Error" and (LogFile="System" or LogFile="Application")' |
   
2.   Select-Object -First 100 -Property TimeGenerated, LogFile, EventCode, Message

复制代码

When you replace Get-WmiObject with Get-CimInstance (which is new in PowerShell 3.0), then the cryptic WMI datetime format is automatically converted to normal date and times:

1. Get-CimInstance -Class Win32_NTLogEvent -Filter 'Type="Error" and (LogFile="System" or LogFile="Application")' |
   
2.   Select-Object -First 100 -Property TimeGenerated, LogFile, EventCode, Message

复制代码

http://powershell.com/cs/blogs/tips/archive/2013/12/30/getting-error-events-from-multiple-event-logs.aspx