How to add a conditional within a hash table ?

@footech helped with the following code and works great but i thought it was going to be simple to add a conditional within the hast table but i am having a hard time. Also, what does the "n" and "e" stands for ?
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
Select Id, MachineName, TimeCreated,
        @{n="AccountName";e={($_.Properties.value)[1]}},
        @{n="ObjectName";e={($_.Properties.value)[6]}}

Open in new window


The conditional i am looking for is Where AccountName -ne "sqladminprod"

Thanks,
namergSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
"n" is short for "name". This can also be "label" or "l". It determines the name to use as output.
"e" is "expression", and requires a scriptblock as argument. It sets the value to show.

A filter condition has to be placed into a Where-Object (abbrev. ?) if not available with the original cmdlet (which would be the best option - fastest, less resource usage).
Since the filter column is constructed in the Select-Object, the filter has to be applied after that.
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
  Select Id, MachineName, TimeCreated,
          @{n="AccountName"; e={($_.Properties.value)[1]}},
          @{n="ObjectName" ; e={($_.Properties.value)[6]}}  |
  ? { $_.AccountName -ne 'sqladminprod' }

Open in new window

1

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
namergSystems AdministratorAuthor Commented:
Thanks Qlemo,
I was able to export it to a csv, but i found that file audit records every action that the user does, open folder, subfolder until reaching the file and that could happen in a minute. So, in my csv i found out duplicate timestamps because of the multiple action that the user does. It is valid, it will be nice if i can read the TimeCreated and when it goes to the next one and it is the same time stamp discard it and leave only one, not duplicates.

Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
  Select Id, MachineName, TimeCreated,
          @{n="AccountName"; e={($_.Properties.value)[1]}},
          @{n="ObjectName" ; e={($_.Properties.value)[6]}}  |
  Where-Object { $_.AccountName -ne 'sqladminprod' }

Open in new window


CSV
"Id","MachineName","TimeCreated","AccountName","ObjectName"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"

Open in new window


Desired CSV
"Id","MachineName","TimeCreated","AccountName","ObjectName"
"4663","Hostname","1/19/2018 12:10:05 PM","UserName","D:\Path\filename.xls"
"4663","Hostname","1/19/2018 12:09:58 PM","UserName","D:\Path\filename.xls"

Open in new window


Thanks for your help,
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The obvious but probably less well performing way is to filter with sort -unique
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
  Select Id, MachineName, TimeCreated,
          @{n="AccountName"; e={($_.Properties.value)[1]}},
          @{n="ObjectName" ; e={($_.Properties.value)[6]}}  |
  Where-Object { $_.AccountName -ne 'sqladminprod' } |
  Sort-Object TimeCreated -unique

Open in new window

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
namergSystems AdministratorAuthor Commented:
Hmm, somehow I am still getting duplicate TimeCreated times

Id          : 4663
MachineName : computername.domain.lcl
TimeCreated : 1/19/2018 1:06:49 PM
AccountName : UserName
ObjectName  : D:\PROD Reporting

Id          : 4663
MachineName : computername.domain.lcl
TimeCreated : 1/19/2018 1:06:49 PM
AccountName : UserName
ObjectName  : D:\PROD Reporting

Open in new window

0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Yes, true, -unique is applied to the complete object, not only the property to sort for. So we have to use a manual approach:
$lastTime = $null
Get-WinEvent -FilterHashtable @{ logname="Security"; Id="4663"} |
   Select Id, MachineName, TimeCreated,
           @{n="AccountName"; e={($_.Properties.value)[1]}},
           @{n="ObjectName" ; e={($_.Properties.value)[6]}}  |
   ? { $_.AccountName -ne 'sqladminprod' } |
   Sort-Object TimeCreated |
   ? { $lastTime -le $_.TimeCreated } |
  % { $lastTime = $_.TimeCreated.AddSeconds(1); $_ } |
  ft -a

Open in new window

It is a bit tricky because time stamps are more precise than only to the second, and having exactly the same timestamp twice is unlikely. I've used a fuzzyness of 1 second.
1
 
aikimarkCommented:
Since you are basing your 'sameness' on the formatted time, which is rounded at the second level.  In an earlier comment you mentioned that the user might do several things within a minute.  I'm seeing a discrepancy between seconds and minutes in this problem.
0
 
namergSystems AdministratorAuthor Commented:
@Qlemo, I think you did your magic. Let me evaluated today and i will get back to you. Thumbs up.
0
 
Jason CrawfordTransport NinjaCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Qlemo (https:#a42440503)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

exchangepro
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.