Site Logo Image Maintenance Scripts

A repository of PowerShell Scripts to automate a variety of IT related maintenance tasks.

© 2025. All rights reserved.

Get-FilteredEvents.ps1

19 Sep 2025

Description

Purpose

Retrieves filtered events from specified event logs on one or more computers.

Detailed Description

The Get-FilteredEvents function retrieves events from specified event logs on one or more computers, based on the specified selection criteria. It allows filtering events by computer name, log name, time range, event ID, event level, and provider name.

Back to Top

Usage

Example 1

Get-FilteredEvents -LogName "System" -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -Level "Error"

Retrieves all error events from the “System” event log in the past 7 days.

Example 2

Get-FilteredEvents -ComputerNames "Server1", "Server2" -LogName "Application" -ID 1001 -ProviderName "MyApp"

Retrieves events with ID 1001 from the “Application” event log on “Server1” and “Server2” that were generated by the “MyApp” provider.

Back to Top

Notes

This function requires administrative privileges to retrieve events from remote computers.

Back to Top

Script

<#
.SYNOPSIS
Retrieves filtered events from specified event logs on one or more computers.

.DESCRIPTION
The Get-FilteredEvents function retrieves events from specified event logs on one or more computers, based on the specified selection criteria. It allows filtering events by computer name, log name, time range, event ID, event level, and provider name.

.PARAMETER ComputerNames
Specifies the names of the computers from which to retrieve events. By default, it retrieves events from the local computer.

.PARAMETER LogName
Specifies the name of the event log from which to retrieve events. This parameter is mandatory.

.PARAMETER StartTime
Specifies the start time of the event range. By default, it is set to the beginning of the current day.

.PARAMETER EndTime
Specifies the end time of the event range. By default, it is set to the end of the current day.

.PARAMETER ID
Specifies the event ID to filter events by.

.PARAMETER Level
Specifies the event level to filter events by. Valid values are "Critical", "Error", "Warning", "Information", and "Verbose".

.PARAMETER ProviderName
Specifies the provider name to filter events by.

.OUTPUTS
System.Management.Automation.PSCustomObject[]
Returns an array of custom objects representing the filtered events. Each object contains the following properties:
- TimeCreated: The date and time when the event was created.
- ID: The ID of the event.
- ProviderName: The name of the event provider.
- LevelDisplayName: The display name of the event level.
- Message: The message associated with the event.

.EXAMPLE
Get-FilteredEvents -LogName "System" -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -Level "Error"
Retrieves all error events from the "System" event log in the past 7 days.

.EXAMPLE
Get-FilteredEvents -ComputerNames "Server1", "Server2" -LogName "Application" -ID 1001 -ProviderName "MyApp"
Retrieves events with ID 1001 from the "Application" event log on "Server1" and "Server2" that were generated by the "MyApp" provider.

.NOTES
This function requires administrative privileges to retrieve events from remote computers.
#>

function Get-FilteredEvents {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false)]
        [string[]]$ComputerNames = @($env:COMPUTERNAME),

        [Parameter(Mandatory = $true)]
        [string]$LogName,

        [Parameter(Mandatory = $false)]
        [datetime]$StartTime = (Get-Date -Hour 0 -Minute 0 -Second 0),

        [Parameter(Mandatory = $false)]
        [datetime]$EndTime = (Get-Date -Hour 23 -Minute 59 -Second 59),

        [Parameter(Mandatory = $false)]
        [string]$ID,

        [Parameter(Mandatory = $false)]
        [ValidateSet("Critical", "Error", "Warning", "Information", "Verbose")]
        [string]$Level,

        [Parameter(Mandatory = $false)]
        [string]$ProviderName
    )

    $LevelMapping = @{
        "Critical"    = 1
        "Error"       = 2
        "Warning"     = 3
        "Information" = 4
        "Verbose"     = 5
    }

    $allEvents = @()
    foreach ($ComputerName in $ComputerNames) {
        try {
            $FilterHashTable = @{'LogName' = $LogName; 'StartTime' = $StartTime; 'EndTime' = $EndTime }
            if ($ID) {
                $FilterHashTable.Add('ID', $ID)
            }
            if ($Level) {
                $FilterHashTable.Add('Level', $LevelMapping[$Level])
            }
            $events = Get-WinEvent -ComputerName $ComputerName -FilterHashTable $FilterHashTable -ErrorAction Stop
            if ($ProviderName) {
                $events = $events | Where-Object { $_.ProviderName -eq $ProviderName }
            }
            $events = $events | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message
            if ($events) {
                $allEvents += $events
            }
        }
        catch {
            Write-Output $_.Exception.Message
        }
    }
    if ($allEvents.Count -eq 0) {
        throw "No events were found that match the specified selection criteria."
    }
    return $allEvents
}

Back to Top

Download

Please feel free to copy parts of the script or if you would like to download the entire script, simply click the download button. You can download the complete repository in a zip file by clicking the Download link in the menu bar on the left hand side of the page.

Report Issues

You can report an issue or contribute to this site on GitHub. Simply click the button below and add any relevant notes. I will attempt to respond to all issues as soon as possible.

Issue

Back to Top