(imported comment written by MattBoyd)
I’ll show you some examples that I think will help you, but PLEASE test it in the fixlet debugger and look at the evaluation times. You’ll see that event log query performance is very poor, and could impact the performance/responsiveness of the client if overused or used incorrectly. I would only recommend using event log queries in an analysis with properties that are set to evaluate once per day. I don’t want to give you the gun that you use to shoot yourself in the foot…
Here’s one that attempts to return Symantec Security Risk Events
(time generated of it, concatenation of substrings separated by “%0d%0a” of description of it) of records whose (source of it = “Symantec AntiVirus” and description of it contains “Security Risk Found!”) of (application event log)
Here’s an example that retrieves the last virus scan event (I think this is the “unique” query that you’re looking for)
(concatenation of substrings separated by “%0d%0a” of descriptions of it) of items 1 of it whose (time generated of items 1 of it = item 0 of it) of ((maximum of times generated of it) of records whose (source of it = “Symantec AntiVirus” and description of it contains “Scan Complete”) of it, records whose (source of it = “Symantec AntiVirus” and description of it contains “Scan Complete”) of it) of application event log
This retrieves the number of Bugchecks (BSoDs):
number of records whose (source of it as lowercase = “bugcheck”) of system event log
This last example uses WMI to query the event log because the BigFix event log inspectors didn’t have the descriptions for some reason. The WMI queries are EVEN SLOWER than the BigFix event log inspectors. This retrieves the number of BugChecks (BSoDs) that have occurred on the workstation
(time values of properties “TimeGenerated” of it, string values of properties “Message” of it) of select objects “TimeGenerated, Message from Win32_NTLogEvent where Logfile=‘System’ AND EventCode = 1001 AND SourceName = ‘Microsoft-Windows-WER-SystemErrorReporting’” of wmi
Windows has some new APIs that seem to improve event log query performance dramatically:
http://msdn.microsoft.com/en-us/library/aa385466(v=vs.85).aspx
Managed code example: http://msdn.microsoft.com/en-us/library/bb671200(v=vs.90).aspx
The event log has some incredibly valuable information in it, so I would love to use event log queries more often to identify issues on clients, but the performance issues are a deterrent. I did request that this be implemented in TEM somehow (if possible), but I’m not sure that will happen any time soon (if ever). High performance event log querying would be a GREAT feature to brag about