PowerShell Select-Object Details
Select-Object is a very powerful tool for any PowerShell user. Many PowerShell cmdlets return a LOT of information when executed. Select-Object makes it really easy to reduce the noise and only display those fields that are meaningful. See below:
The first command will store the most recent 25 entries from your system log in a variable called $events. The second command prints the contents of that variable, selecting only the TimeGenerated, EntryType and Message columns (you might want to pipe all of that into FL in order to make it more readable).
Ok, so that’s made it easy for us to filter the results that get displayed on screen, but that’s not usually the problem with event logs (or at least, not the main problem). When you’re troubleshooting a problem, you probably want to filter the results to only show errors and warnings, then just display the relevant fields. Where-Object to the rescue:
Ok, that line will only display lines that are not Information… but there can still be a lot of clutter! Some errors will cause thousands of identical entries in the event logs – sometimes thousands per minute or even per second! How do you deal with that? Do you write a complicated loop that checks to see if the system has already displayed those results and then suppresses duplicates? Well, you could… or you could just use the –unique switch on Select-Object. Try this on for size:
Now, the system only displays unique entries. That’s right, a single switch on that command has resolved all of that duplication, making the onerous task of searching through event logs at least a little bit easier.
Let’s talk about another scenario (actually, the scenario that inspired this post!). If you’re writing a script where you want the user to be able to specify the columns that are displayed (via Select), how do you accomplish that? My first inclination was to do the following:
If you try that (after typing multiple columns, such as “EntryType,Message”), you’ll see a single big column with no data and a heading of “EntryType,Message”. That’s right, since $userIn is a single string (that happens to contain a comma), Select tries to find a single Property that matches that string. So, how do you fix this?
It’s actually quite easy. In order for Select to get multiple Properties, it wants each Property name to be specified as its own string… so we just need an array of strings. Here’s how I did it:
I’ve encapsulated the “read-host” in parenthesis so that the resulting string will be affected by the –split method. I’ve told –split to split the string into an array of strings, using commas as the delineation character. This results in an array of strings, which is exactly what Select-Object is looking for.
$events = get-eventlog system –newest 25
$events | select TimeGenerated,EntryType,Message
The first command will store the most recent 25 entries from your system log in a variable called $events. The second command prints the contents of that variable, selecting only the TimeGenerated, EntryType and Message columns (you might want to pipe all of that into FL in order to make it more readable).
Ok, so that’s made it easy for us to filter the results that get displayed on screen, but that’s not usually the problem with event logs (or at least, not the main problem). When you’re troubleshooting a problem, you probably want to filter the results to only show errors and warnings, then just display the relevant fields. Where-Object to the rescue:
$events | where {$_.EntryType -ne “information”} |
select TimeGenerated,EntryType,Message
Ok, that line will only display lines that are not Information… but there can still be a lot of clutter! Some errors will cause thousands of identical entries in the event logs – sometimes thousands per minute or even per second! How do you deal with that? Do you write a complicated loop that checks to see if the system has already displayed those results and then suppresses duplicates? Well, you could… or you could just use the –unique switch on Select-Object. Try this on for size:
$events | where {$_.EntryType -ne “information”} |
select TimeGenerated,EntryType,Message –unique
Now, the system only displays unique entries. That’s right, a single switch on that command has resolved all of that duplication, making the onerous task of searching through event logs at least a little bit easier.
Let’s talk about another scenario (actually, the scenario that inspired this post!). If you’re writing a script where you want the user to be able to specify the columns that are displayed (via Select), how do you accomplish that? My first inclination was to do the following:
$userIn = read-host “Enter the columns that you wish to display”
$events | select $userIn
If you try that (after typing multiple columns, such as “EntryType,Message”), you’ll see a single big column with no data and a heading of “EntryType,Message”. That’s right, since $userIn is a single string (that happens to contain a comma), Select tries to find a single Property that matches that string. So, how do you fix this?
It’s actually quite easy. In order for Select to get multiple Properties, it wants each Property name to be specified as its own string… so we just need an array of strings. Here’s how I did it:
$userIn = (read-host “Enter the columns that you wish to display”) –split “,”
$events | select $userIn
I’ve encapsulated the “read-host” in parenthesis so that the resulting string will be affected by the –split method. I’ve told –split to split the string into an array of strings, using commas as the delineation character. This results in an array of strings, which is exactly what Select-Object is looking for.
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,