3

我需要从这个命令的输出中提取一个特定的数字:

Get-EventLog "application" | Where-Object {$_.EventID -eq 6006}

示例输出为:

Index Time          EntryType   Source                 InstanceID Message
----- ----          ---------   ------                 ---------- -------
18297 May 15 18:49  Warning     Wlclntfy               2147489654 The winlogon notification subscriber <Profiles> took 60 second(s) to handle the notification event (Logon).
11788 Jan 31 08:11  Warning     Wlclntfy               2147489654 The winlogon notification subscriber <Profiles> took 68 second(s) to handle the notification event (Logon).
5794 Oct 16 09:41  Warning     Wlclntfy               2147489654 The winlogon notification subscriber <Sens> took 225 second(s) to handle the notification event (Logoff).
5596 Oct 11 08:03  Warning     Wlclntfy               2147489654 The winlogon notification subscriber <Profiles> took 69 second(s) to handle the notification event (Logon).
2719 Aug 30 07:50  Warning     Wlclntfy               2147489654 The winlogon notification subscriber <Profiles> took 65 second(s) to handle the notification event (Logon).

我真正需要做的是拉出事件报告的秒数<Profiles>,并拉出最大的一个。我已经弄清楚(?<=<Profiles> took )(\d+)是否可以仅提取我需要的数字,但我不确定如何继续实际提取它们。我已经尝试将它传递给 Select-String -pattern,但这根本不返回任何内容。

4

2 回答 2

3

你想要$matches内置变量。 $matches[0]是匹配正则表达式的文本,并且$matches[1] .. $matches[n]是匹配的括号表达式(如果有的话)。可悲的是,我的机器上没有任何 EventID=6006 ,所以我在没有测试的情况下这样做,但这应该从排序的秒列表中选择最后一项:

Get-EventLog "application" | 
    Where-Object {$_.EventID -eq 6006} | 
    Where-Object { $_.Message -match "<Profiles> took (\d*) second" } |
    foreach { [int]$matches[1] } |
    sort |
    select -last 1
于 2013-05-25T23:49:14.483 回答
2

您可以在没有正则表达式的情况下获取值。查看事件的 ReplacementStrings 属性。它包含一个数组,其中包含存储在事件条目中的替换字符串。

PS> $event.ReplacementStrings
Profiles
71
Logon

基于此,您可以使用数组索引来获取您所追求的值。

Get-EventLog application | 
Where-Object {$_.EventID -eq 6006 -and $_.ReplacementStrings -eq 'Profiles'} | 
Foreach-Object { $_.ReplacementStrings[1] }
于 2013-05-26T06:49:46.677 回答