Ok, so I couldn’t quite give up on this. I don’t have those events in my deployment, but I do have event ids 8014 and 8015 so I’ve crafted the search for them.
Repeated searching through the event log is painfully slow, but looping through the elements of a string set is very fast in the BES client. So what I’m doing here is to first build a set of tuple strings representing (event id, timestamp, description) of the events we want. Here’s the final query -
q: (tuple string item 0 of it, tuple string item 1 of it, tuple string item 2 of it) of items 0 of (elements of item 0 of it, items 2 of it) whose (tuple string item 1 of item 0 of it as time = item 1 of it) of (item 0 of it, item 1 of it, maximum of (it as time) of tuple string items 1 of items 0 of (elements of item 0 of it, item 1 of it) whose (tuple string item 0 of item 0 of it = item 1 of it)) of (it, unique values of tuple string items 0 of elements of it) of set of (it as string) of (event id of it, time generated of it, description of it) of records whose (event id of it is contained by set of (8014;8015) ) of system event log
Breakdown of how this works:
First, create a string set containing (event id, time generated, description) for the event records we want:
set of (it as string) of (event id of it, time generated of it, description of it) of records whose (event id of it is contained by set of (8014;8015) ) of system event log
Next, I’ll loop through the set to find the unique event IDs for which we searched (so only the very end of the query, with the event IDs, needs to be modified). I preserve the original set, as well as the unique event IDs within the set - the event IDs are ‘tuple string items 0’ of the elements in the set.
(it, unique values of tuple string items 0 of elements of it)
Now, given ‘item 0’ is the set of all events and ‘item 1’ is one unique event ID, I want to find the maximum time for that particular event in the set:
maximum of (it as time) of tuple string items 1 of items 0 of (elements of item 0 of it, item 1 of it) whose (tuple string item 0 of item 0 of it = item 1 of it)
Now we know the maximum time for each event, we need to loop back through the whole set to find the events that matched those timestamps. At this point, ‘item 0’ is the whole set and ‘item 2’ is one of the maximum times that we found. Loop through the set and find the elements whose ‘tuple string 0’ (time) matches the time we seek:
(elements of item 0 of it, items 2 of it) whose (tuple string item 1 of item 0 of it as time = item 1 of it)
At this point we have the elements that match the time, and the time we were looking for. We’re not interested in that maximum time anymore, just the ‘items 0’ elements that matched the time. ‘items 0’ are now the individual matching ‘tuple strings’ , so we can just keep the items 0 and split out the ‘tuple string items X’ of items 0 of …
(tuple string item 0 of it, tuple string item 1 of it, tuple string item 2 of it) of items 0 of
On my machine, that had 13 events total between these two event IDs, it was actually pretty quick
A: 8014, ( Mon, 04 Apr 2022 12:52:18 -0500 ), ( The system failed to register pointer (PTR) resource records (RRs) for network adapter%0d%0awith settings:%0d%0a%0d%0a Adapter Name : {83433568-A95C-4775-9932-C565F52C21C3}%0d%0a Host Name : endpoint-1%0d%0a Adapter-specific Domain Suffix : d.domain.home%0d%0a DNS server list :%0d%0a %09192.168.1.254%0d%0a Sent update to server : <?>%0d%0a IP Address :%0d%0a 192.168.1.101%0d%0a%0d%0aThe reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information. )
A: 8015, ( Wed, 30 Mar 2022 08:32:09 -0500 ), ( The system failed to register host (A or AAAA) resource records (RRs) for network adapter%0d%0awith settings:%0d%0a%0d%0a Adapter Name : {83433568-A95C-4775-9932-C565F52C21C3}%0d%0a Host Name : endpoint-1%0d%0a Primary Domain Suffix : d.domain.home%0d%0a DNS server list :%0d%0a %09192.168.1.254%0d%0a Sent update to server : <?>%0d%0a IP Address(es) :%0d%0a 192.168.1.86%0d%0a%0d%0aThe reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.%0d%0a%0d%0aYou can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. )
T: 1103.068 ms