Counting and grouping log entries by arbitrary time spans with Powershell.

Sometimes it’s useful to see where in a time range an event log collects particular types of events.

I’ve seen several scripts that count events and group them by a time span (usually day or hour), but sometimes it would be nice to choose an arbitrary time span for grouping the counts.

This script takes input from get-eventlog, counts the events, and groups the counts by an arbitrary timespan that you specify. If you want counts per day, use a 1 day timespan. If you want every 2 hours, use a 2 hour timespan, etc.

It does not use group-object or measure-object, and it doesn’t do any datetime math inside the event process processing loop. All the timestamps are converted to ticks, and all calculations are done on the tick counts using simple math operations. This lets the script calculate what timespan group an event belongs in using math division and truncation – operations that are not possible using the Powershell operators on datatime object directly.

$Span = new-timespan -hours 1 -minutes 30
$StartString = '01/21/2012'
$LogName = 'Application'

$EventCount = @{}

$TimeBase = [DateTime]::MinValue
$StartTicks = ([datetime]$startString).Ticks
$SpanTicks = $Span.Ticks

$props = {
        Time=[datetime]$StartString + [TimeSpan]::FromTicks($SpanTicks * $_.Name)

Get-Eventlog -LogName $LogName -After $StartString |
 foreach {
    $Time_Slice = [int][math]::truncate(($_.TimeGenerated.Ticks - $StartTicks) / $SpanTicks)
 $EventCount.GetEnumerator() | sort Name |
  foreach {new-object psobject -property (&$props) | select Time,Events} |


3 responses to “Counting and grouping log entries by arbitrary time spans with Powershell.

  1. Wonderful post. Very good technique. However I did not understand one thing. Appreciate if you could explain it. You are using Get-EventLog and then time-slicing it and counting it. The very next line where you are using $EventCount.GetEnumerator() – how does that get the data you collected in the previous line?

  2. $EventCount is a hash table. The keys represent sequentially numbered timespans (of duration determined by $span). The Timestamp of the event is converted to ticks, then using the start time of get-eventlog as a baseline it calculates a timespan increment from baseline that event belongs in. The hash table key that represents that timespan increment then gets incremented. $EventCount.getenumerater() dumps the hash table after all the events are collected and the the events counted in the timespan increment they occurred in. (Whew, I hope that made sense.). The technique I’m using to create the hash table keys and update the counters is described here:

  3. Awesome – thank you very much. Much appreciated.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s