Analysis for BugChecks

I am running an Analysis to determine the number of BugChecks posted to each computers system event log.
Relevance: number of records whose (source of it as lowercase = “bugcheck”) of system event log
It seems that the results are constantly changing with some showing . Is there something I can add to the relevance to where once it reports something other than it will stop and keep the result given?

The results will show 700 errors one day and the next 3000.

**Is there something I can add to the relevance to where once it reports something other ERROR than it will stop and keep the result given?

The property will re-evaluate the event logs each time it refreshes, which would be from how ever long you set the property refresh interval to be. You could increase the property refresh interval to something like 30 days to reduce it being too dynamic (which isn’t a bad idea if you have relatively big event logs as it can take longer and longer to process) but other than that I’m not aware of anyway to have a property as a 1 time static snapshot other than have an action that evaluates the data then writes the value onto the local systems somewhere, eg file, registry or client setting.

Hi,

The reason this is returning an error is because:

number of records whose (source of it as lowercase = "bugcheck") of system event log

Is an incredibly slow relevance query and the clients are getting interrupted waiting for it to finish.

If you want a 1 time static snapshot I’d recommend writing this query in powershell, running the powershell script on the endpoint saving the results to a file, and then reading the file with relevance.

1 Like

I did what you suggested and created a task to pull it from Powershell.

Powershell script: Get-EventLog -Log “System” -Source “BugCheck” | measure | % { $_.Count } | Out-File -FilePath “C:\Windows\Temp\BugCheck1.txt” -Append

Batch file for Action: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File “%~dp0BugCheck.ps1”

Then I created an Analysis pointing to that text file being created: lines of file “C:\BCresults\BugCheck1.txt”

I don’t think the relevance Property for that Analysis is working. Any suggestions?

This is what the Analysis line is (correction): lines of file “C:\Windows\Temp\BugCheck1.txt”

Did you make sure the file “C:\Windows\Temp\BugCheck1.txt” actually exists and that it has something in it?

Yes, I’ve checked the txt file to make sure.

I’d recommend running this in Fixlet Debugger on the machine and making sure you get the lines of the file returned

I’ve done that as well :slight_smile:

Can you share the analysis and the fixlet you’ve got?

Bill

How is it you’d like me to share it?

You could run the powershell command directly using the action which removes the need to create or download a script.

runhidden powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -command Get-EventLog -Log “System” -Source “BugCheck” | measure | % {{ $_.Count } | Out-File -FilePath “C:\Windows\Temp\BugCheck1.txt” -Encoding ascii -append

I added the -encoding parameter to force ascii instead of unicode to remove the special characters that were returned by the file inspection. Action and relevance ran ok via the fixlet debugger.

Q: lines of files "C:\Windows\Temp\BugCheck1.txt"
A: %ff%fe7%00
A: %00
A: %00
T: 0.275 ms
I: plural file line

Q: lines of files "C:\Windows\Temp\BugCheck1.txt"
A: 7
T: 0.202 ms
I: plural file line

That did it!!! Adding the " -Encoding ascii" to the PS Script made all the difference.

I then modified the Analysis to look like this:
line 1 of file “C:\Windows\Temp\BugCheck1.txt” | “No Results”

Thank you all for the responses.