Event log inspectors very ineffective

(imported topic written by ageorgiev)

Hello,

has someone else also noticed how ineffective “event log” inspectors are with regards to filtering the event records and possibly come up with a solution to it? Just as an example, I ran the following 2 relevance codes which return the same exact value and one is using the agent native relevance inspector for event log where the other is using WMI query.

q: number of selects ("EventCode from Win32_NTLogEvent Where Logfile = %22System%22 and Message like %22%25BES Client%25%22 and TimeWritten > %22" & (((year of it as string  & month of it as two digits as string & day_of_month of it as two digits as string) of item 0 of it & (two digit hour of it as string & two digit minute of it as string & two digit second of it as string & ".000000" & (((substring(1,2) of it as integer * 60 + substring(3,2) of it as integer) * (substring(0,1) of it & "1") as integer) of (zone of it as string)) as string) of item 1 of it) of ((date (local time zone) of it - 2 * month) of now, current time_of_day)) & "%22") of wmi
A: 16
T: 882.913 ms
I: singular integer

q: number of records whose (description of it contains "BES Client" and now - time generated of it < 60 * day) of system event log
A: 16
T: 46400.620 ms
I: singular integer

The example was tested on 2k3 machine with 15 mb SYSTEM event log and the differences in the evaluation time is gigantic which defeats the purpose of ever using the event log inspectors. The only drawback of using WMI is that the Win32_NTLogEvent class is only available from XP/2003 and later which in most cases would not matter but in mine it does as we still have a handful of NT4s and 2000s. Please let me know if I am missing some better way to query event logs with the native inspectors. Thank you.

ageorgiev