Get-WMIobject win32_ntlogevent - Newest 3 events

Question

Is there a way to pull the most recent 3 error events from the System event log using Get-WMIObject and the win32_ntlogevent class?

$log = Get-WMIobject -ComputerName $server -Credential $cred -class win32_ntlogevent -filter "(logfile='system') AND (type='error')" 

I know that Get-EventLog has a -Newest option but I don't see anything like that with WMI

Answer 1

弄清楚了

$log | sort TimeGenerated | select -last 3

Answer 2

Don't use WMI for this. Your approach will retrieve all error events from the remote host (which could take quite some time), and then discard all but the latest 3 once you have everything on the local host. Use Get-EventLog and do the filtering at the source:

Get-EventLog -LogName 'System' -EntryType 'Error' -Newest 3

Answer 3

I don't think Wmi query supports limiting the results.

If you are desperate to use your command here is a most inefficient way of getting your expected output -

Get-WMIobject win32_ntlogevent -filter "(logfile='system') AND (type='error')" | select -first 3

Cheers, G

Answer 4

Get-EventLog -LogName 'System' -EntryType 'Error' -Newest 3

WMI is the far more efficient way, and it returns the log name

$dt = $cdt = Get-Date;$CUmonth = (get-date).adddays(-30);$eventId = Get-EventLog -ComputerName $SystemlogFqdn -LogName 'System' -EntryType 'Error','Warning' -After $CUmonth;"GetMethod: $((New-TimeSpan $dt ($dt = get-date)).totalseconds)"

GetMethod: 163.585552

$dt = $cdt = Get-Date;PS C:\\Users\\User> $CUmonth = (get-date).adddays(-30);PS C:\\Users\\User> $eventID = Get-WmiObject Win32_NTLogEvent -ComputerName $SystemlogFqdn -filter "(logfile='system' AND Type <> 'Information' AND TimeWritten >= '$CUmonth')";PS C:\\Users\\User> "WMIMethod: $((New-TimeSpan $dt ($dt = get-date)).totalseconds)"

WMIMethod: 63.49941