In the previous tip we looked at Get-EventLog to do a forensic analysis and find search-related errors in the Application log. Get-EventLog is simple to use yet it is slow and deprecated. While it is perfectly OK to use Get-EventLog on Windows PowerShell, you might want to switch to Get-WinEvent instead. It’s faster and runs on PowerShell 7, too.
Let’s quickly translate Get-EventLog to Get-WinEvent for the forensic analysis covered in our previous tip. The code below finds all errors in the Application event log related to the “Search” source (there may be none on your system):
# old Get-EventLog -LogName Application -Source *search* -EntryType error -Newest 10 | Select-Object TimeGenerated, Message # new Get-WinEvent -FilterHashtable @{ LogName = 'Application' ProviderName = '*search*' Level = 1,2 } -ErrorAction Ignore | Select-Object TimeCreated, Message
To group the events per day, use Group-Object and the date as grouping criteria:
# old Get-EventLog -LogName Application -Source *search* -EntryType error | Group-Object { Get-Date $_.timegenerated -format yyyy-MM-dd } -NoElement # new Get-WinEvent -FilterHashtable @{ LogName = 'Application' ProviderName = '*search*' Level = 1,2 } -ErrorAction Ignore | Group-Object { Get-Date $_.TimeCreated -format yyyy-MM-dd } -NoElement
Again, you may not have any search-related error entries in your log, but when you adjust the criteria and search for different event log entries you’ll quickly realize how much faster Get-WinEvent is. In above example, Get-WinEvent was approximately 10 times faster than Get-EventLog.