Monday, February 16, 2009

PowerShell/Log Parser 2.2 and Add-Member

I recently stumbled upon a great post by David Muegge titled “Log Parser and PowerShell - Part II”. David does a great job of wrapping PowerShell around Log Parser. I highly recommend that you take a look at his blog post. I was looking at his functions and decided that I should give them a try against some production data. I decided to look at failed login attempts (we have had an issue with an particular application).

What I was looking for was a count of failed logins (from the Strings property). The following code assumes that you are using David’s Library.

$query = "SELECT Strings FROM '\\XX-P01\Security' WHERE EventID = 529"
$inputformat = Get-LPInputFormat "evt"
$records = Get-LPRecordSet $query $inputformat
$records `
Add-Member -name "User" `
-value {$this.Strings.substring(0,$this.Strings.indexof(""))}`
-memberType ScriptProperty -force -passThru `
Group-Object User -noElement `
Sort-Object -descending Count `
Select-Object -first 10

In order to get exactly what I wanted, I added a new property to this object: "User"

In order to do this, I needed to parse the Strings property of my $Records object for everything before the first pipe.

$this.Strings.substring(0,$this.Strings.indexof("")) achieves the desired value.

This gives us:

Count Name
----- ----
81 cluster
30 mastersql
18 Administrator
9 home50
8 marg98
7 bart01
7 lisa27
6 Nels07
5 barn10
4 skin01

Just what I was looking for!

1 comment:

Anonymous said...

Thank you so much for this post, it was very insightful!
