PowerShell, weird behaviour of Get-WinEvent -FilterHashTable ID and arrays

Question

What I want to do?

I run the Get-WinEvent function with -FilterHashTable supplying an array of interesting Event ID's for ID argument.

$IDS = 4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781

Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDS; }

This returned error:

# Get-WinEvent : No events were found that match the specified selection criteria.

(and I know the matching events DO exists)

I've noticed, that with smaller arrays the function returned positive results, and thus with few attempts, I've asserted this:

• straight call with Array count -le 23 works properly;
• straight call with Array count -gt 23 results in error.

Seemingly proper solution...

I've assumed that 23 is an undocumented limit of arguments that the underlying mechanisms of the Get-WinEvent can process, and then decided to split the call into several calls with smaller array:

$MaxCount = 23
For ( $i = 0; $i -lt $IDS.count; $i += $MaxCount ) { 
    $IDSChunks += ,@( $IDS[ $i..($i+$MaxCount-1) ] ) 
}

This way we have split the array into two, each counts -le 23 elements:

$IDSChunks | %{ $_ -join "," }
4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4741,4742,4743,4744,4745
4746,4747,4748,4749,4750,4751,4752,4753,4754,4755,4756,4757,4758,4759,4760,4761,4762,4763,4764,4767,4781

Checked manually, and this worked as expected:

Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[0]; }
Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$IDSChunks[1]; }

But...

This, however, does not:

$IDSChunks | %{ Get-WinEvent -ComputerName DC -FilterHashTable @{ LogName='Security'; ID=$_; } }

And results with the already familiar error:

# Get-WinEvent : No events were found that match the specified selection criteria.
# Get-WinEvent : No events were found that match the specified selection criteria.

Why?

What am I doing wrong?

Answer 1

I am still trying to investigate why but I can get this to work if you force the pipeline variable to an array. It already is an Object array but perhaps it is getting unrolled. This should be no different then when you called the elements explicitly. I agree this is odd

$IDSChunks | %{ Get-WinEvent -ComputerName dckan08ba -FilterHashTable @{ LogName='Security'; ID=@($_)} }

Adding a verbose switch support that is getting converted to a space delimited string. It should look like this:

VERBOSE: Constructed structured query:
*[((System/EventID=4746) or (System/EventID=4747) or
(System/EventID=4748) or (System/EventID=4749) or (System/EventID=4750) or (System/EventID=4751) or
(System/EventID=4752) or (System/EventID=4753) or (System/EventID=4754) or (System/EventID=4755) or
(System/EventID=4756) or (System/EventID=4757) or (System/EventID=4758) or (System/EventID=4759) or
(System/EventID=4760) or (System/EventID=4761) or (System/EventID=4762) or (System/EventID=4763) or
(System/EventID=4764) or (System/EventID=4767) or (System/EventID=4781))].

But instead does this:

VERBOSE: Constructed structured query:
*[(System/EventID=4746 4747 4748 4749 4750 4751 4752
4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4767 4781)].