Announcement

Collapse
No announcement yet.

Eventlog WMI Query by date\time

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Eventlog WMI Query by date\time

    I'm trying to work out a query to extract servernames 'where eventcode - nnnn and TimeGenerated >= dd/mm/yy hr:min:sec' so I can monitor certain events occuring overnight and therefore reduce the
    run time for the query.

    The query works fine when the 'where' clause just contains the eventcode, but as soon as I enter the 'AND date time information' as detailed (format acquired from eventcode query output), it returns
    no results.

    I am therefore not sure on the format of the Date\time data I should enter.

    Has anyone any ideas?

    Thanks in anticipation

    JTM
    Tags: eventcode, wmi
  • #2
    I'll play with the syntax for that, but in the meantime have you considered using Hyena's Filter Events function? Right-click on a computer or selection of computers and choose Events->Filter Events. The dialog that comes up gives you a number of different options to filter for what you want.

    Comment

    • #3
      Using just the date worked for me:

      Logfile='Application' AND TimeGenerated >= '06/12/2012'

      Still working on adding a time range.

      Comment

      • #4
        Actually this worked:

        Logfile='Application' AND TimeGenerated >= '06/12/2012 14:00:00'

        Comment

        • #5
          Thanks Chuck.
          Afraid it still fails with me.
          Maybe I should have mentioned I'm using ExporterPro to run this query.
          Not sure if this is relevant.

          I define the query as a template and then run this over manually selected servers from within the Hyena interface.
          e.g. Logfile='security' AND eventcode='577' works a treat,
          but as soon as I append AND TimeGenerated>= '06/12/2012 14:00:00', I get no results ( the output file is empty save for the headers)
          Diolch

          JTM

          WMI_settings.JPG

          Comment

          • #6
            To make sure there wasn't anything different with Exporter Pro, I ran this query and it worked for me every time:

            Logfile='security' AND EventCode='4624' AND TimeGenerated >= '06/19/2012 9:55:00'

            Attach a screenshot of the template after adding TimeGenerated so we can verify there aren't any typos or anything. Also, verify that you have 577 events after that time frame, and check to make sure that is the same date format used when you export without the TimeGenerated filter. My system uses mm/dd/yyyy, but yours might need dd/mm/yyyy or similar.

            Comment

            Previous template Next
            Working...
            X