导入 CSV 并按名称分组,然后按日期时间的第一个实例
Import CSV and group by name and then first instance of datetime
我正在尝试获取多台计算机的 RDP 会话事件(事件 ID:22 和 25)并导出为 CSV 文件。我需要获取用户每天启动的 RDP 会话的第一个实例(可能有很多 RDP 会话 reconnection/day),这样我就可以创建一个报告,每个用户什么时候启动第一个 RDP 会话。
$week = (Get-Date) - (New-TimeSpan -Day 10)
$Events = Get-WinEvent -ComputerName $ComputerName -LogName $LogName | Where-Object { ($_.TimeCreated -ge $week) -and (($_.Id -eq '22') -or ($_.Id -eq '25')) }
foreach ($Event in $Events) {
$EventXml = [xml]$Event.ToXML()
$EventTime = $Event.TimeCreated.ToString()
$Username = $EventXml.Event.UserData.EventXML.User
}
CSV 文件的时间列包含 (mm/dd/yyyy HH:mm) 格式的连接时间。我正在努力获取组和排序命令以获取每天的第一个连接实例。
任何帮助将不胜感激。
我添加了很多评论来帮助您进行思考
$logFilter=@{
LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID=22,25
StartTime=[datetime]::Now.Adddays(-30)
}
# Get all events 22 & 25 for the past 30 days
$events=Get-WinEvent -FilterHashtable $logFilter
# Since we want the first Event per Date, we need to
# group all events by each Day
$groupByDay=$Events|Group-Object {$_.TimeCreated.ToShortDateString()}
# Looks like this
PS /> $groupByDay
Count Name Group
----- ---- -----
68 5/4/2021 {System.Diagnostics.Even...
76 5/3/2021 {System.Diagnostics.Even...
12 5/2/2021 {System.Diagnostics.Even...
22 5/1/2021 {System.Diagnostics.Even...
62 4/30/2021 {System.Diagnostics.Even...
46 4/29/2021 {System.Diagnostics.Even...
# Now we want to group each day by User and get the first log for each one of them
# To see an example of how it looks you can use this =>
$groupByDay[0].Group|Group-Object {$_.Properties.Value[0]}
# Note
$events[0].Properties.Value[0]
# Is the same as
([xml]$events[0].ToXml()).Event.UserData.EventXML.User
# Create a new export grid
$grid=[collections.generic.list[pscustomobject]]::new()
# For each day in all days logs
foreach($group in $groupByDay)
{
$groupByUsers=$group.Group|Group-Object {$_.Properties.Value[0]}
foreach($user in $groupByUsers)
{
# Logs are always sorted by newest to oldest
# we can assume that the first log we get from pipeline
# is the one we want for each user
$temp=$user.group|Select -First 1
# Add this object to our export grid
$grid.Add(
[pscustomobject]@{
Time=$temp.TimeCreated.ToString('MM/dd/yyyy HH:mm')
EventID=$temp.Id
User=$user.Name
})
}
}
导出应如下所示:
Time
EventID
User
05/04/2021 16:00
25
user.example1
05/04/2021 15:55
25
user.example2
05/04/2021 14:40
22
user.example3
05/03/2021 16:00
25
user.example1
05/03/2021 15:55
25
user.example2
05/03/2021 14:40
22
user.example3
我正在尝试获取多台计算机的 RDP 会话事件(事件 ID:22 和 25)并导出为 CSV 文件。我需要获取用户每天启动的 RDP 会话的第一个实例(可能有很多 RDP 会话 reconnection/day),这样我就可以创建一个报告,每个用户什么时候启动第一个 RDP 会话。
$week = (Get-Date) - (New-TimeSpan -Day 10)
$Events = Get-WinEvent -ComputerName $ComputerName -LogName $LogName | Where-Object { ($_.TimeCreated -ge $week) -and (($_.Id -eq '22') -or ($_.Id -eq '25')) }
foreach ($Event in $Events) {
$EventXml = [xml]$Event.ToXML()
$EventTime = $Event.TimeCreated.ToString()
$Username = $EventXml.Event.UserData.EventXML.User
}
CSV 文件的时间列包含 (mm/dd/yyyy HH:mm) 格式的连接时间。我正在努力获取组和排序命令以获取每天的第一个连接实例。
任何帮助将不胜感激。
我添加了很多评论来帮助您进行思考
$logFilter=@{
LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
ID=22,25
StartTime=[datetime]::Now.Adddays(-30)
}
# Get all events 22 & 25 for the past 30 days
$events=Get-WinEvent -FilterHashtable $logFilter
# Since we want the first Event per Date, we need to
# group all events by each Day
$groupByDay=$Events|Group-Object {$_.TimeCreated.ToShortDateString()}
# Looks like this
PS /> $groupByDay
Count Name Group
----- ---- -----
68 5/4/2021 {System.Diagnostics.Even...
76 5/3/2021 {System.Diagnostics.Even...
12 5/2/2021 {System.Diagnostics.Even...
22 5/1/2021 {System.Diagnostics.Even...
62 4/30/2021 {System.Diagnostics.Even...
46 4/29/2021 {System.Diagnostics.Even...
# Now we want to group each day by User and get the first log for each one of them
# To see an example of how it looks you can use this =>
$groupByDay[0].Group|Group-Object {$_.Properties.Value[0]}
# Note
$events[0].Properties.Value[0]
# Is the same as
([xml]$events[0].ToXml()).Event.UserData.EventXML.User
# Create a new export grid
$grid=[collections.generic.list[pscustomobject]]::new()
# For each day in all days logs
foreach($group in $groupByDay)
{
$groupByUsers=$group.Group|Group-Object {$_.Properties.Value[0]}
foreach($user in $groupByUsers)
{
# Logs are always sorted by newest to oldest
# we can assume that the first log we get from pipeline
# is the one we want for each user
$temp=$user.group|Select -First 1
# Add this object to our export grid
$grid.Add(
[pscustomobject]@{
Time=$temp.TimeCreated.ToString('MM/dd/yyyy HH:mm')
EventID=$temp.Id
User=$user.Name
})
}
}
导出应如下所示:
| Time | EventID | User |
|---|---|---|
| 05/04/2021 16:00 | 25 | user.example1 |
| 05/04/2021 15:55 | 25 | user.example2 |
| 05/04/2021 14:40 | 22 | user.example3 |
| 05/03/2021 16:00 | 25 | user.example1 |
| 05/03/2021 15:55 | 25 | user.example2 |
| 05/03/2021 14:40 | 22 | user.example3 |