Event Date and time and retention

(imported topic written by ajdyer200091)

Hi,

Wondering if anyone can help. I’m trying to get an application event log report in the column format of

Display the Date of event in 01/11/2010 format not Mon 11 Jan 2010

Display the time without the -0500

I would also like to only display events within the last 3 months.

The relevance I have come up with so far is

q:(time generated of it ) of ((records of application event log) whose (event id of it = 999 or event id of it = 998))

A: Fri, 18 Dec 2009 11:23:05 -0500

A: Tue, 22 Dec 2009 09:06:16 -0500

A: Wed, 23 Dec 2009 09:13:54 -0500

A: Wed, 23 Dec 2009 10:27:27 -0500

A: Wed, 23 Dec 2009 10:34:34 -0500

A: Wed, 23 Dec 2009 10:51:28 -0500

A: Wed, 23 Dec 2009 10:55:22 -0500

A: Thu, 31 Dec 2009 09:33:23 -0500

A: Thu, 31 Dec 2009 12:29:27 -0500

A: Thu, 31 Dec 2009 12:33:05 -0500

A: Thu, 31 Dec 2009 12:40:19 -0500

A: Mon, 04 Jan 2010 09:13:07 -0500

A: Tue, 05 Jan 2010 11:35:00 -0500

A: Tue, 05 Jan 2010 13:30:11 -0500

A: Mon, 11 Jan 2010 09:11:11 -0500

(imported comment written by NoahSalzman)

This should work:

q: ((month of it as two digits & “/” & day_of_month of it as string & “/” & year of it as string) of dates (local time zone) of it, (time of times (local time zone) of it)) of (times generated of (records of application event log) whose (event id of it = 1))

A: 12/16/2008, 17:05:59

A: 12/16/2008, 17:06:45

A: 12/17/2008, 10:38:20

A: 12/17/2008, 10:38:18

A: 12/17/2008, 10:38:39

There might be a way to simply that relevance… but, hey, it works so I’ll leave it at that.

For those intersted in the problem, the main issue is that “time generated” returns a data type of “time” instead of a data type such as “time of day with time zone” or “date”.

(imported comment written by ajdyer200091)

Noah Thanks for the quick response. I ran it and got this. Any way to get two digits in the day field?

A: 01/4/2010, 09:13:07

A: 01/5/2010, 11:35:00

A: 01/5/2010, 13:30:11

12/18/2009, 11:23:05

A: 12/22/2009, 09:06:16

A: 12/23/2009, 09:13:54

A: 12/23/2009, 10:27:27

A: 12/23/2009, 10:34:34

A: 12/23/2009, 10:51:28

A: 12/23/2009, 10:55:22

A: 12/31/2009, 09:33:23

A: 12/31/2009, 12:29:27

A: 12/31/2009, 12:33:05

A: 12/31/2009, 12:40:19

A: 01/4/2010, 09:13:07

A: 01/5/2010, 11:35:00

A: 01/5/2010, 13:30:11

A: 01/11/2010, 09:11:11

(imported comment written by NoahSalzman)

Yep, just change “string” to “two digits” as below. Also added in the 90 day limit from your original question.

q: ((month of it as two digits & “/” & day_of_month of it as two digits & “/” & year of it as string) of dates (local time zone) of it, (time of times (local time zone) of it)) of (times generated of (records of application event log) whose (event id of it = 1 and (time generated of it > (now - 90*day))))

A: 10/26/2009, 14:18:45

A: 11/02/2009, 16:49:52

A: 11/02/2009, 16:52:29

A: 11/02/2009, 16:53:01

(imported comment written by ajdyer200091)

Noah, I really appreciate it. One more thing and thats it. (i swear) How would you add “computer of it” and “description of it”?

(imported comment written by NoahSalzman)

Happy to help… had to move things around a little:

q: ((month of it as two digits & “/” & day_of_month of it as two digits & “/” & year of it as string) of dates (local time zone) of times generated of it, (time of times (local time zone) of times generated of it), computers of it, descriptions of it) of (records of application event log) whose (event id of it = 1 and (time generated of it > (now - 90*day)))

A: 10/13/2009, 14:39:38, foo.bar.com, The Windows Security Center Service has started.

A: 10/13/2009, 15:55:35, foo.bar.com, The Windows Security Center Service has started.

A: 10/26/2009, 12:56:54, foo.bar.com, The Windows Security Center Service has started.

(imported comment written by ajdyer200091)

Excellent. thanks for your help.