我正在尝试使用以下内容获取事件日志中的事件计数:
get-eventlog application -Entrytype Error -After (Get-Date).AddDays(-7) | group-object -property eventID, source, message
但是,由于某些事件消息的消息中有时间戳,因此它们无法正确分组。(从技术上讲,他们“确实”正确地分组,但我想要对所有这些人进行计数。)
也举个例子,有这个错误:
3221241857 Failed to schedule Software Protection service for re-start at 2113-09-21T21:37:24Z. Error Code: 0x80041316.
我想将所有这些分组,以便我在一行上计算所有这些,而不是每个错误的一行,因为它会将消息视为唯一的,因为时间戳不同。
我可以用正则表达式或其他东西删除时间戳吗?不知道如何在PS中做到这一点。
只是为了说明这一点,我目前得到:
Name : 489, ESENT, taskhostex (1560) An attempt to open the file "C:\Users\xxxx\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).
Count : 12
Group : {System.Diagnostics.EventLogEntry}
Values : {489, ESENT, taskhostex (1560) An attempt to open the file "C:\Users\xxxx\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).}
Name : 16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T15:41:11Z. Error Code: 0x80041316.
Count : 1
Group : {System.Diagnostics.EventLogEntry}
Values : {16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T15:41:11Z. Error Code: 0x80041316.}
Name : 16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T20:03:35Z. Error Code: 0x80041316.
Count : 1
Group : {System.Diagnostics.EventLogEntry}
Values : {16385, Software Protection Platform Service, Failed to schedule Software Protection service for re-start at 2113-09-21T20:03:35Z. Error Code: 0x80041316.}
但是底部的错误应该组合在一起。