PowerShell 脚本中的 WMI 事件过滤器查询
WMI event filter query in PowerShell script
我正在尝试使用其他人编写的 PowerShell 脚本将两个不同的 WMI 事件添加到 SCCM 服务器。我必须将两个事件查询合并为一个查询,但我不确定如何最好地做到这一点。到目前为止,我已经尝试了很多不同的方法。这是代码:
Function WMI-InstanceFilter
{
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"
$PropertyHash = @{
QueryLanguage = "WQL";
Query = "";
Name = "Name";
EventNameSpace="root/sms/site_$($SiteCode)"
}
$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
这是我需要以某种方式组合并放入查询行的两个事件查询:
SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
最好的方法是什么?
您在查询中处理 WQL,您只能有一个 WITHIN 值 - 请参阅 https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/within-clause 因此您必须选择 300(秒 = 5 分钟)或 900(秒 = 15 分钟)或介于两者之间的折衷值。
您的合并 SELECT 语句如下所示
SELECT * FROM __InstanceOperationEvent WITHIN 900 WHERE TargetInstance ISA 'SMS_Package' AND TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'
将 WITHIN 值更改为您认为最适合您需要的值。
您是否同时需要驱动器和 bios,或者您可以使用参数驱动的 switch 语句在它们之间进行交换吗?
像这样
Function WMI-InstanceFilter {
[CmdletBinding()]
param (
[ValidateSet('Bios', 'Drivers' )]
[string]$InstanceType
)
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"
switch ($InstanceType) {
'Bios' {
$query = "SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
}
'Drivers' {
$query = "SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
}
}
$PropertyHash = @{
QueryLanguage = "WQL"
Query = $query
Name = "Name"
EventNameSpace="root/sms/site_$($SiteCode)"
}
$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
}
我正在尝试使用其他人编写的 PowerShell 脚本将两个不同的 WMI 事件添加到 SCCM 服务器。我必须将两个事件查询合并为一个查询,但我不确定如何最好地做到这一点。到目前为止,我已经尝试了很多不同的方法。这是代码:
Function WMI-InstanceFilter
{
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"
$PropertyHash = @{
QueryLanguage = "WQL";
Query = "";
Name = "Name";
EventNameSpace="root/sms/site_$($SiteCode)"
}
$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
这是我需要以某种方式组合并放入查询行的两个事件查询:
SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
最好的方法是什么?
您在查询中处理 WQL,您只能有一个 WITHIN 值 - 请参阅 https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/within-clause 因此您必须选择 300(秒 = 5 分钟)或 900(秒 = 15 分钟)或介于两者之间的折衷值。
您的合并 SELECT 语句如下所示
SELECT * FROM __InstanceOperationEvent WITHIN 900 WHERE TargetInstance ISA 'SMS_Package' AND TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'
将 WITHIN 值更改为您认为最适合您需要的值。
您是否同时需要驱动器和 bios,或者您可以使用参数驱动的 switch 语句在它们之间进行交换吗?
像这样
Function WMI-InstanceFilter {
[CmdletBinding()]
param (
[ValidateSet('Bios', 'Drivers' )]
[string]$InstanceType
)
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"
switch ($InstanceType) {
'Bios' {
$query = "SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
}
'Drivers' {
$query = "SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
}
}
$PropertyHash = @{
QueryLanguage = "WQL"
Query = $query
Name = "Name"
EventNameSpace="root/sms/site_$($SiteCode)"
}
$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
}