Detect empty event log

(imported topic written by lmpymilk91)

I am getting an error here because the application event log is empty. I was expecting this to return True.

What are my options for checking if the event log contains records?

q:(not exists records whose ((event id of it = 1073742825) and (source of it as lowercase = "winlogon") and (description of it as lowercase contains "windows has finished checking your disk") and (now - time generated of it  <30*day)) of application event log) 
E: The expression could not be evaluated: Windows Error: Reached the end of the file.

and

q:exists record of application event log
E: The expression could not be evaluated: Windows Error: Reached the end of the file.

(imported comment written by BenKus)

Hmm… looks like you found a bug with empty event logs (filed as bug #25450)… This expression should return false instead of an error…

I have a workaround with some crazy relevance for you… see if this works:

exists true whose (if ((not exists records whose ((event id of it = 1073742825) and (source of it as lowercase = “winlogon”) and (description of it as lowercase contains “windows has finished checking your disk”) and (now - time generated of it <30*day)) of application event log) ) then false else true)

(double check I didn’t get the true/false reversed…)

Ben

(imported comment written by lmpymilk91)

thanks Ben

flopping the true/false looks good.

(imported comment written by SystemAdmin)

I ran into this same problem on a WinXP SP/3 workstation. I’m using V8. I’m very new to BigFix and not sure how to query the bugtracker. Does anyone know if this bug has been fixed in V8 or can post a link to the BugTracker so I can look it up?

Thanks!

  • Steve

(imported comment written by NoahSalzman)

Our defect tracking database is not available to folks outside of R&D.

That particular bug is still open (not fixed).

Also, you can check specific bug numbers fixed in v8

here

.