These are some event log search queries. They all trash my memory in any Powershell session.
I have written them down for some reason. Probably so I can evolve more elegant solutions to such queries in the future.
foreach ($i in @("a","b","c","d","e")) {if ($i) {rv -ea 0 $i}}
$start=(get-winevent -log security -max 1).TimeCreated
$a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
$c=(get-winevent -ea 0 -log System -max 10000) | Select TimeCreated,ProcessID,ThreadID,Message
$d=(get-winevent -ea 0 -log Application -max 10000) | Select TimeCreated,ProviderName,Message
$b=$a | Select TimeCreated,ProcessID,ThreadID, `
@{Name="Port";Expression={($_.Message | findstr /C:"Source Port:").replace("Source Port:"," ")}}, `
@{Name="Application";Expression={($_.Message | findstr /C:"Application Name:").replace("Application Name:"," ")}}
$e=@()
$e=($b + $c + $d) | sort -desc -property TimeCreated
$a.count;$b.count;$c.count;$d.count;$e.count
$e | ft -auto -wrap TimeCreated,Application,ProcessID,ThreadID,Port,Message
# $start=(get-winevent -log security -max 1).RecordID
# $a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
# $b | where Application -match 'dropbox.exe' | ft -auto
# ($a | ? {$_.RecordID -gt $Start} | % {$_.Message | findstr /C:"Source Port"} ).count
# $b=$a | % {write "$($_.TimeCreated) : PID=$($_.ProcessID) : $($_.Message | findstr /C:"Source Port") : $($_.Message | findstr /C:"Application Name:")"}
# $b=$a | Select TimeCreated,ProcessID, @{Name="Port";Expression={($_.Message | findstr /C:"Source Port")}}, @{Name="Application";Expression={$_.Message | findstr /C:"Application Name:"}}
$s = New-PSWorkflowSession
Invoke-Command $s {
workflow Invoke-ParallelForEach
{
foreach -parallel ($i in 0)
{
InlineScript
{
"foo: $using:i"
}
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
}
}
}
Invoke-Command $s { Invoke-ParallelForEach -PSComputerName localhost }
workflow getwinevent
{
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
}
getwinevent
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
[gc]::gettotalmemory(0)/1MB
[gc]::collect(2)
$var=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}); $var | export-csv -path C:\ps1\security.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}); $var | export-csv -path C:\ps1\system.csv
$var=(get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}); $var | export-csv -path C:\ps1\application.csv
Rabu, 22 Agustus 2012
Thrashing memory with queries...(Part I)
12.07
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar