Problem:
You want to find specific events from multiple archived event logs.
I wonder why he put a gorilla picture in here?
Solution:
EventScrape.ps1 – uses Powershell Get-WinEvent to parse offline event logs and sort them into chronological order.
[array]$TotalSearch=””
# *App* is targeting archived Application logs – change to suit your needs
Get-ChildItem -include *App*.evt,*App*.evtx -Path E:\EventLogs\Winevt\logs\ -recurse |
ForEach-Object {“Parsing $($_.fullname)`r`n”
Try {
$TotalSearch+=Get-WinEvent -FilterHashtable @{
Path=$_.fullname
Id=15004;
#StartTime=”1/14/2011″ ; #in case you want to limit the search to a certain time range
#EndTime=”1/15/2016″
} -EA Stop
$TotalSearch+=Get-WinEvent -FilterHashtable @{
Path=$_.fullname
Id=15005;
#StartTime=”1/14/2011″ ; #in case you want to limit the search to a certain time range
#EndTime=”1/15/2016″
} -EA Stop
} Catch [System.Exception] {“Done”}}
$TotalSearch| sort-object TimeCreated|fl|out-file “BackPressure.txt”
$searchCSV=$TotalSearch| sort-object TimeCreated|convertto-csv -useculture
$searchCSV|out-file “SearchCSV.csv”
gc .\BackPressure.txt |select-string “resource pressure” -context 5,7 |out-file Presures.txt
invoke-item .\Presures.txt
Details:
Use PowerShell to Parse Saved Event Logs for Errors
http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors.aspx
I ended up splitting the code into two scripts, one which parses the event logs, and the second which deletes them. Your code is in use in the deletion portion and is fully effective as far as I m able to tell based on testing. The deletions are setup to run once every two days now, so we should be able to get the info that we need, make sure that the logs have been parsed, and then see what happens with the cleanup after. Thanks a lot for your help!