# adding text to end of string

This would seem to be an easy solution but....

The setup. I'm trying to search offline eventlogs. There are multiple logs of a server just different weeks.
These logs are located on a remote storage location.
I can get the directory using
> $logarchivepath = get-childitem$logarchiveuncpath\ -Recurse | ?{ $_.PSIsContainer } | Sort-Object | Select-Object FullName  I can get the filenames using >$filenames = get-childitem $logarchiveuncpath\ -Recurse | Select -exp Name  The result of$logarchivepath is ;
\\jill\it-dept\Docs\Docs\Monthly IT Reports\EventLogBackup\temp\WIN10SERVER-Logs-02031502

>>>>> There are about 20 servers with at least 4 folders each<<<<<<<

The result of $filenames is: Application.evt ADAM (VMwareVCMSDS).evt System.evt Internet Explorer.evt Active Directory Web Services.evt Windows PowerShell.evt HardwareEvents.evt Key Management Service.evt Security.evt  >>>>>>>>>>>Again this list is repeated for each server in the above list.<<<<<<<<<<<<<<<<<< This is my code; $log = "Security.evt"
foreach ($computer in$strcomputer)
{
$lpb = 1$computer
$logarchivepath = get-childitem$logarchiveuncpath\ -Recurse | ?{ $_.PSIsContainer } | Sort-Object | Select-Object FullName$filenames = get-childitem $logarchiveuncpath\ -Recurse | Select -exp Name$logarchivepath
foreach ($logfile in$logarchivepath)
{
foreach ($filename in$filenames)
{
$result = Get-Winevent -Path$logfile -Logname "$log" -oldest | where-object {$_.Id -eq 517 -or $_.Id -eq 1102}$result
pause
}
}
$lpa =$lpa + 1
}

>>> The pause statement is for troubleshooting<<<<<

I'm getting the following error;

Get-WinEvent : Parameter set cannot be resolved using the specified named parameters.
At line:179 char:22
+                  $result = Get-Winevent -Path$logfile -Logname "$log" -oldest | where ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Get-WinEvent], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Commands.GetWinEventCommand I "think" my problem is that I need a trailing "\" in my path statement but not sure. And I've tried just about every conceivable method to add a trailing "\" to the path statement but haven't been successful. Or is there something else I've missed? Asked: ###### Who is Participating? Commented: Is it the folders that is taking a long time, or the Get-WinEvent? You might try this for line 8 to see if it speeds up. { Get-Winevent -FilterHashTable @{ Path =$_; Id = 517,1102 } -oldest }

0

Commented:
Have you tried imple concatenation?
Example:
foldername  +"\"+ filename

0

Author Commented:
Yes...to a point. As I understand the Get-Winevent I use the -path <log location> and then the -logname <eventlog.evt> so I've only tried to get the trailing "\" on the path name.
0

Commented:
It's not due to a "\".  When you use the -Path parameter you don't need the -Logname parameter.  Those parameters are members of separate parameter sets.
0

Author Commented:
Ahhhh. Then when using the path statement I would use the full path "plus" the filename. Is that correct?
0

Commented:
Yes, the complete path (directory and filename) to the file you want to open.
0

Author Commented:
OK, great. Let me plug that info into my script.

So to summarize I would do the following;
$logarchivepath = "\\remote location"$log = "security.evt"
$path =$logarchivepath + "\" + $log Get-Winevent -path$path ...... and more code.
0

Author Commented:
Tried it...Didn't work.
PS C:\Users\rwolf> $file =$logfile + "\" + $log Method invocation failed because [System.Management.Automation.PSObject] does not contain a method named 'op_Addition'. At line:1 char:1 +$file = $logfile + "\" +$log
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidOperation: (op_Addition:String) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
0

Author Commented:
Changed some code around. I think what's happening is that my variable $logpath (new variable) is not a string. New code----$logarchivepath = get-childitem $logarchiveuncpath\ -Recurse | ?{$_.PSIsContainer } | Sort-Object | Select-Object FullName
$filenames = get-childitem$logarchiveuncpath\ -Recurse | Select -exp Name
$logarchivepath foreach ($logpath in $logarchivepath) {$logfile = "$logpath + '\' +$log"
$result = Get-Winevent -Path$logfile -oldest | where-object {$_.Id -eq 517 -or$_.Id -eq 1102}
$result pause } 0 Author Commented: Sorry I meant to include the error. Note the inclusion of my local drive and user information on the first line. Plus the @{......} around the expanded$logpath.

Get-Winevent : Cannot find path 'C:\Users\rwolf\@{FullName=\jill\it-dept\Docs\Docs\Monthly IT
Reports\EventLogBackup\temp\BABS-Logs-02031501} + '\' + Security.evt' because it does not exist.
At E:\Scripts\WorkInProgress.ps1:178 char:24
+                    $result = Get-Winevent -Path$logfile -oldest | where-object {$_.Id ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (@{FullName=\\ji... + Security.evt:String) [Get-WinEvent], I temNotFoundException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.GetWinEventCommand 0 Author Commented: I can get close. Results of previous combining of variables. And yes it was a type mismatch of sorts. code:$logfile = [string]$logpath + '\' +$log
Results: @{FullName=\\jill\it-dept\Docs\Docs\Monthly IT Reports\EventLogBackup\temp\BABS-Logs-02031501}\Security.evt

Now I need to figure out how to get ride of the extra text @{fullname=  and the "}" between the path and the filename.
0

Commented:
I can't tell where $logpath is coming from. But it's likely an object that has a "fullname" property. You need$logpath to be a simple object type like a string, not a complex type (an object that can have many properties), or you need to reference the specific property you're interested in.

Why don't you use something like this?
$log = "Security.evt" get-childitem$logarchiveuncpath\ -Recurse -filter $log | Select -expand fullname | %  { Get-Winevent -Path$_ -oldest | where-object {$_.Id -eq 517 -or$_.Id -eq 1102} }

You might be able to optimize the Get-Winevent command by using the -filterhashtable parameter to filter IDs, rather than piping to Where-Object, but that's for later once you get the main functionality working.
0

Author Commented:
Thanks, I'll give that a try.
0

Author Commented:
Sorry for the delay been working on another project.

Code seems to work. I'm testing it now. So far it's looking at my first server and am waiting to see if it looks at all servers. Now to get it into a report.
0

Author Commented:
Again sorry for the delay. Got pulled off of this project to deal with another pressing one "Can you say squeaky wheel?". Anyway was able to work with it a little bit still getting some errors. I'm possible going to look at another method which "might" make searching easier. And that is to convert the log files into XML. I'll get back with the progress.
0

Commented:
I may be able to help you, but you'll have to post the code you're running and the errors you're seeing...

I'm doubtful that converting the logs to XML would make things easier, but without knowing more about your situation, I couldn't really say.
0

Author Commented:
Thanks, I'll post the code as soon as possible. I'm out of the office today so I'm not sure if it will happen today.
0

Author Commented:
Well due to a computer crash I've lost all my code for this project (and many others). So I'll be starting all over. Not sure if it's reasonable to keep this question open but for the moment I'll do so. If I can't get back to this soon I'll delete the question.

Thanks.
Richard.
0

Author Commented:
OK, I've been able to work with this and yes it does work but I'm missing something. It appears as it's going through the logs there's no definition between servers. What I will be doing is a formatted html document so I need the computer name. How can I add a display for the computer name? I'm trying to break down what you've posted to where I can get the information I need.

Thanks.
0

Commented:
Without knowing what code you're using, I can only provide some general advice.  Save the computer name to a variable.  Get-WinEvent outputs objects, and you'll probably use a Select-Object statement to choose which properties of those objects you want.  So with Select-Object, add a calculated property for the computer name, utilizing the previously mentioned variable as the value.
0

Author Commented:
OK, good idea. I also thought about breaking the get-winevent down into a for each loop and only pass one computer at a time but that comes with it's own problems. I like what you've done it's just that parsing thought about 175 folders takes a long time. As these eventlogs are backed up based on the security log being full I'm looking at 1. only backing up the security log as the all the others overwrite as necessary. and 2. increase the log size to slow down the number of log full events.
0

Commented:
If you have many computer names, you'll almost assuredly be using a foreach loop (either the foreach statement or ForEach-Object) to cycle through them.  The name has to come from somewhere, usually a file (or sometimes an AD query) but could be the name of a parent folder.  So depending on where the name comes from your approach can change a bit.
0

Author Commented:
Thanks, If I understand the statement correctly I should be able to substitute the $logarchiveuncpath with the computer specific folders i.e. IT-DEPT-Logs-xxxxxx <-date to work with the specific logs. 0 Commented: Sounds reasonable. But again, without knowing what code you're using I couldn't say more. Also I don't know what your folder structure is like, whether logs are all kept on the same server, etc. 0 Author Commented: OK fair enough. Let me put together what I've got and I'll upload it so you can see. 0 Author Commented: OK, this is a snippet of the total code but is broken down and works for the most part. I'm not getting any results even though I know Event ID 517 and 1102 are present in the logs.$logarchiveuncpath = "\\jill\IT-Dept\Docs\Docs\Monthly IT Reports\EventLogBackup\temp"
$log = "Security.evt"$strComputers = @()
$strComputers = Get-ADComputer -Filter {OperatingSystem -like "*server*"} -Properties OperatingSystem | Select-Object name | Sort-Object name | foreach {$_.Name}

foreach ($computer in$strComputers)
{
$compname = get-childitem$logarchiveuncpath | sort-object -Property name | Select-String -pattern "$computer"$computer
foreach ($comp in$compname)
{ $comp get-childitem "$logarchiveuncpath$comp" -recurse -filter$log | Select -expand fullname | Foreach-object
{ Get-Winevent -Path $_ -oldest | where-object {$_.Id -eq 517 -or $_.Id -eq 1102} } } Pause } I know it's working the folders as this is the results I see (due to printing of certain variables). BABS BABS-Logs-02031501 babs-Logs-02061557 babs-Logs-02131527 babs-Logs-02131540 babs-Logs-02201516 babs-Logs-03021533 Press Enter to continue...: This is the format for the folders for all servers. 0 Commented: I'm not confident about it getting the folders right. Select-String is more for looking inside text files. Try this. foreach ($computer in $strComputers) {$compname = Get-ChildItem $logarchiveuncpath | Where {$_.name -match "$computer" } | Select -ExpandProperty FullName$computer
foreach ($comp in$compname)
{ $comp Get-ChildItem$comp -recurse -filter $log | Select -expand fullname | ForEach-Object  { Get-Winevent -Path$_ -oldest | where-object {$_.Id -eq 517 -or$_.Id -eq 1102} }
}
Pause
}
`
0

Author Commented:
OK, Thanks.
0

Author Commented:
That works great. Running a test right now to see how it works. Just wish it didn't take so long to work its way through all the folders (there is a LOT of folders). Will let this run tonight and see what it looks like in the morning.
0

Author Commented:
Hmmm. Thanks. I had steered away thinking that using the hash table would be more complicated. I'll try it as the script has ran for 16+ hours and it's still not done with all the folders.
0

Author Commented:
All I can say is WOW. I never thought a search of this magnitude could be done so fast. Probably less than 5 minutes. I didn't even have time to think about timing it. I've still got some cleanup but...... looks like I will be modifying many other scripts that use the winevent cmdlet.

Again thanks.
Richard.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.