I need to put together a report containing the count all event 6004 events from system log, and the times of each. This needs to be collected across all computers in a group on a monthly basis. Basically it needs to look like:
It returns “0”, and there are 13 records in the system event log with event id 6004. I’ll also take a look at your link to see if I can make progress there.
Ben, no joy on using the other links. Regardless of what event id I search for, I get no records. I remember seeing a log query using WMI, but can’t seem to find it anymore. Sure, WMI will use more resources, but it gets the job done
I’m almost there. Only one more thing to work out on the report; restricting the query to only the previous month’s reboots. Here’s how it looks right now:
RebootCount = number of records whose (event id of it mod 65536 = 6004 ) of system event log
RebootTimes = times written of records whose (event id of it mod 65536 = 6004) of system event log
…they work great, btw, but shows events from all dates.
Now, I’m trying to restrict further, to include only last month’s records:
times written of records whose (event id of it mod 65536 = 6004 and time written of it = (current month_and_year - 1*month)) of system event log
…which doesn’t work, giving “the operator equal is not defined”. I’ve tried some variants, all to no avail.
The “current month_and_year - 1*month” code works in relevance debugger, although I think the date formats between the event log and “system time” are incompatible (well, the way I’m coding them, at least).
I have the calculation for “last month’s first day” hammered out:
q: ("01 " & current month as string & current year as string) as date -1*month
A: Wed, 01 Apr 2009
But when I try to combine it with the previous relevance, I get this:
q: times written of records whose (event id of it mod 65536 = 6005 and (time generated of it > ("01 " & current month as string & current year as string)) as date -1*month) of system event log
E: The operator “less than” is not defined.
…since I’m comparing two dates (am I?), I would think the Boolean comparison would be valid, but apparently the relevance language doesn’t agree.
The trick is that the type is not “friendly” as the type. The system event log relevance is spitting back objects in the type. The Relevance Language Reference doc shows this trick for coercing into :
Q: date (local time zone) of now
A: Mon, 25 Sep 2006
So… try something like this:
dates (local time zone) of times written of records whose (time written of it… blah blah blah
That should lead you to something like
months of (dates (local time zone) of times written of records whose (time written of it… blah blah blah
I need the latter. I’m looking “last month’s reboots” instead of “the last 30 days of reboots”. I’ll tinker with your recommendations and let ya’ll know how it goes.
So, first, how do we find “all the events that occurred in April”?
number of records whose (month of date (local time zone) of time written of it) = month “April”) of system event log
We now need to replace the hard-coded “April” with logic that means “the previous calendar month”. Here is the logic for “the previous calendar month”… I hope someone out there knows an easier way:
month (if month of current date as integer - 1 = 0 then 12 else month of current date as integer -1)
OK, so new we need to put it all together. If you remove the hard coded “April” you end up with:
number of records whose (month of date (local time zone) of time written of it) = month (if month of current date as integer - 1 = 0 then 12 else month of current date as integer -1)) of system event log
That assumes you are only storing 12 months of log data… otherwise you will get data from April 2008 as well.
