如何使用powershell根据特定成员确定集合中对象出现的频率
How to use powershell to determine the frequency of objects in a collection based on a specific member
我正在查询我们 PDC 上的安全事件日志,以观察可能表明主机或用户名受到威胁的趋势。我有代码来收集信息并清理它...
$TargetEvents 最终是这样的:
(我不知道如何在我的 post 中格式化一个看起来很正常的 table)
Host User
---- ----
host1 user1
host2 user2
host1 user3
host1 user4
host2 user4
$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10
$TargetEvents=@()
foreach ($Event in $Events)
{
$obj=[PSCustomObject]@{
Host=$Event.Properties[1].value.ToString()
User=$Event.Properties[0].value.ToString()
}
$TargetEvents+=$obj
}
我希望能够创建一个摘要,但我真的被困住了。我不专业编程,只是帮助我工作的工具。
这就是我要创建的内容:
Host Frequency
---- ---------
host1 3
host2 2
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2
Group-Object cmdlet 是你的朋友:
# rebuilding your example data
$items = @("host1 user1",
"host2 user2",
"host1 user3",
"host1 user4",
"host2 user4")
$arraylist = New-Object System.Collections.ArrayList
#loop over the objects, split at the space and assign variable values
foreach($item in $items) {
$thehost = $item.split(' ')[0]
$theuser = $item.split(' ')[1]
# including | Out-Null just keeps the Add() method from outputting the number of the item
# it does not nullify your data
$arraylist.Add([PSCustomObject]@{Host=$thehost;User=$theuser}) | Out-null
}
# group by host property
$hostFrequency = $arraylist | Group-Object -Property Host
# group by user property
$userFrequency = $arraylist | Group-Object -Property User
# results arrays
$hostResults = New-Object System.Collections.ArrayList
$userResults = New-Object System.Collections.ArrayList
# group the count of hosts along with corresponding name
foreach($item in $hostFrequency)
{
$hostResults.Add([PSCustomObject]@{Host = $item.Name; Frequency = $item.Count}) | Out-Null
}
# group the count of users along with corresponding name
foreach($item in $userFrequency)
{
$userResults.Add([PSCustomObject]@{User = $item.Name; Frequency = $item.Count}) | Out-Null
}
# output all the things
$hostResults | Format-Table
$userResults | Format-Table
输出:
Host Frequency
---- ---------
host1 3
host2 2
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2
您可以直接将 [PSCustomObject] 发送到收集整个 foreach 输出的变量:
$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10
$TargetEvents= foreach ($Event in $Events){
[PSCustomObject]@{
Host=$Event.Properties[1].value.ToString()
User=$Event.Properties[0].value.ToString()
}
}
要获取数据,您可以在此处使用 Group-Object 和 -NoElement,因为只有计数(频率)和 Host/User 相关
> $TargetEvents | Group-Object Host -NoElement
Count Name
----- ----
3 host1
2 host2
要获得您想要的确切输出,请使用 Select-Object 以 重命名 计算为 属性.
的频率
$TargetEvents | Group-Object Host -NoElement | Select-Object @{n='Host';e={$_.Name}},@{n='Frequency';e={$_.Count}}
Host Frequency
---- ---------
host1 3
host2 2
$TargetEvents | Group-Object User -NoElement | Select-Object @{n='User';e={$_.Name}},@{n='Frequency';e={$_.Count}}
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2
我正在查询我们 PDC 上的安全事件日志,以观察可能表明主机或用户名受到威胁的趋势。我有代码来收集信息并清理它...
$TargetEvents 最终是这样的: (我不知道如何在我的 post 中格式化一个看起来很正常的 table)
Host User ---- ---- host1 user1 host2 user2 host1 user3 host1 user4 host2 user4
$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10
$TargetEvents=@()
foreach ($Event in $Events)
{
$obj=[PSCustomObject]@{
Host=$Event.Properties[1].value.ToString()
User=$Event.Properties[0].value.ToString()
}
$TargetEvents+=$obj
}
我希望能够创建一个摘要,但我真的被困住了。我不专业编程,只是帮助我工作的工具。
这就是我要创建的内容:
Host Frequency
---- ---------
host1 3
host2 2
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2
Group-Object cmdlet 是你的朋友:
# rebuilding your example data
$items = @("host1 user1",
"host2 user2",
"host1 user3",
"host1 user4",
"host2 user4")
$arraylist = New-Object System.Collections.ArrayList
#loop over the objects, split at the space and assign variable values
foreach($item in $items) {
$thehost = $item.split(' ')[0]
$theuser = $item.split(' ')[1]
# including | Out-Null just keeps the Add() method from outputting the number of the item
# it does not nullify your data
$arraylist.Add([PSCustomObject]@{Host=$thehost;User=$theuser}) | Out-null
}
# group by host property
$hostFrequency = $arraylist | Group-Object -Property Host
# group by user property
$userFrequency = $arraylist | Group-Object -Property User
# results arrays
$hostResults = New-Object System.Collections.ArrayList
$userResults = New-Object System.Collections.ArrayList
# group the count of hosts along with corresponding name
foreach($item in $hostFrequency)
{
$hostResults.Add([PSCustomObject]@{Host = $item.Name; Frequency = $item.Count}) | Out-Null
}
# group the count of users along with corresponding name
foreach($item in $userFrequency)
{
$userResults.Add([PSCustomObject]@{User = $item.Name; Frequency = $item.Count}) | Out-Null
}
# output all the things
$hostResults | Format-Table
$userResults | Format-Table
输出:
Host Frequency
---- ---------
host1 3
host2 2
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2
您可以直接将 [PSCustomObject] 发送到收集整个 foreach 输出的变量:
$Events= Get-WinEvent -ComputerName MYPDC -FilterHashtable @{Logname='Security';id=4740} -MaxEvents 10
$TargetEvents= foreach ($Event in $Events){
[PSCustomObject]@{
Host=$Event.Properties[1].value.ToString()
User=$Event.Properties[0].value.ToString()
}
}
要获取数据,您可以在此处使用 Group-Object 和 -NoElement,因为只有计数(频率)和 Host/User 相关
> $TargetEvents | Group-Object Host -NoElement
Count Name
----- ----
3 host1
2 host2
要获得您想要的确切输出,请使用 Select-Object 以 重命名 计算为 属性.
的频率$TargetEvents | Group-Object Host -NoElement | Select-Object @{n='Host';e={$_.Name}},@{n='Frequency';e={$_.Count}}
Host Frequency
---- ---------
host1 3
host2 2
$TargetEvents | Group-Object User -NoElement | Select-Object @{n='User';e={$_.Name}},@{n='Frequency';e={$_.Count}}
User Frequency
---- ---------
user1 1
user2 1
user3 1
user4 2