PowerShell,Get-WinEvent -FilterHashTable ID 和数组的奇怪行为
PowerShell, weird behaviour of Get-WinEvent -FilterHashTable ID and arrays
我想做什么?
我 运行 带有 -FilterHashTable 的 Get-WinEvent 函数为 ID 参数提供了一组有趣的事件 ID。
$IDS = 4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDS; }
返回错误:
# Get-WinEvent : No events were found that match the specified selection criteria.
(我知道匹配事件确实存在)
我注意到,对于较小的数组,该函数返回了积极的结果,因此经过几次尝试,我断言:
- 使用数组计数
-le 23 的直接调用工作正常;
- 直接调用数组计数
-gt 23 导致错误。
看似合适的解决方案...
我假设 23 是 Get-WinEvent 的底层机制可以处理的未记录的参数限制,然后决定将调用拆分为多个具有较小数组的调用:
$MaxCount = 23
For ( $i = 0; $i -lt $IDS.count; $i += $MaxCount ) {
$IDSChunks += ,@( $IDS[ $i..($i+$MaxCount-1) ] )
}
这样我们就把数组分成了两部分,每部分有 -le 23 个元素:
$IDSChunks | %{ $_ -join "," }
4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745
4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781
手动检查,这按预期工作:
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[0]; }
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[1]; }
但是...
然而,这不是:
$IDSChunks | %{ Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$_; } }
结果出现了熟悉的错误:
# Get-WinEvent : No events were found that match the specified selection criteria.
# Get-WinEvent : No events were found that match the specified selection criteria.
为什么?
我做错了什么?
我仍在尝试调查原因,但如果您将管道变量强制为数组,我可以让它工作。它已经是一个对象数组,但可能正在展开。这应该与您显式调用元素时没有什么不同。我同意这很奇怪
$IDSChunks | %{ Get-WinEvent -ComputerName dckan08ba -FilterHashTable @{ LogName='Security'; ID=@($_)} }
添加正在转换为 space 分隔字符串的详细开关支持。它应该是这样的:
VERBOSE: Constructed structured query:
*[((System/EventID=4746) or (System/EventID=4747) or
(System/EventID=4748) or (System/EventID=4749) or (System/EventID=4750) or (System/EventID=4751) or
(System/EventID=4752) or (System/EventID=4753) or (System/EventID=4754) or (System/EventID=4755) or
(System/EventID=4756) or (System/EventID=4757) or (System/EventID=4758) or (System/EventID=4759) or
(System/EventID=4760) or (System/EventID=4761) or (System/EventID=4762) or (System/EventID=4763) or
(System/EventID=4764) or (System/EventID=4767) or (System/EventID=4781))].
而是这样做:
VERBOSE: Constructed structured query:
*[(System/EventID=4746 4747 4748 4749 4750 4751 4752
4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4767 4781)].
我想做什么?
我 运行 带有 -FilterHashTable 的 Get-WinEvent 函数为 ID 参数提供了一组有趣的事件 ID。
$IDS = 4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDS; }
返回错误:
# Get-WinEvent : No events were found that match the specified selection criteria.
(我知道匹配事件确实存在)
我注意到,对于较小的数组,该函数返回了积极的结果,因此经过几次尝试,我断言:
- 使用数组计数
-le 23的直接调用工作正常; - 直接调用数组计数
-gt 23导致错误。
看似合适的解决方案...
我假设 23 是 Get-WinEvent 的底层机制可以处理的未记录的参数限制,然后决定将调用拆分为多个具有较小数组的调用:
$MaxCount = 23
For ( $i = 0; $i -lt $IDS.count; $i += $MaxCount ) {
$IDSChunks += ,@( $IDS[ $i..($i+$MaxCount-1) ] )
}
这样我们就把数组分成了两部分,每部分有 -le 23 个元素:
$IDSChunks | %{ $_ -join "," }
4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745
4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781
手动检查,这按预期工作:
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[0]; }
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[1]; }
但是...
然而,这不是:
$IDSChunks | %{ Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$_; } }
结果出现了熟悉的错误:
# Get-WinEvent : No events were found that match the specified selection criteria.
# Get-WinEvent : No events were found that match the specified selection criteria.
为什么?
我做错了什么?
我仍在尝试调查原因,但如果您将管道变量强制为数组,我可以让它工作。它已经是一个对象数组,但可能正在展开。这应该与您显式调用元素时没有什么不同。我同意这很奇怪
$IDSChunks | %{ Get-WinEvent -ComputerName dckan08ba -FilterHashTable @{ LogName='Security'; ID=@($_)} }
添加正在转换为 space 分隔字符串的详细开关支持。它应该是这样的:
VERBOSE: Constructed structured query:
*[((System/EventID=4746) or (System/EventID=4747) or
(System/EventID=4748) or (System/EventID=4749) or (System/EventID=4750) or (System/EventID=4751) or
(System/EventID=4752) or (System/EventID=4753) or (System/EventID=4754) or (System/EventID=4755) or
(System/EventID=4756) or (System/EventID=4757) or (System/EventID=4758) or (System/EventID=4759) or
(System/EventID=4760) or (System/EventID=4761) or (System/EventID=4762) or (System/EventID=4763) or
(System/EventID=4764) or (System/EventID=4767) or (System/EventID=4781))].
而是这样做:
VERBOSE: Constructed structured query:
*[(System/EventID=4746 4747 4748 4749 4750 4751 4752
4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4767 4781)].