Sort-Object having no effect on Get-EventLog

1.9k Views Asked by Leander At 20 October 2024 at 19:11

I'm trying to find the oldest retained Event in the Security Event Log through powershell.

Using the following command: (Get-EventLog Security | Sort-Object -Property Time -Descending)

This returns a list which is not sorted in the least. What am I doing wrong here?

There are 2 best solutions below

vrdse On 02 August 2018 at 16:34 BEST ANSWER

This is not a problem with Get-EventLog, but caused by the fact that the output of Get-EventLog does not have a Porperty Time.

Use Get-Member to show a list of available properties.

Get-EventLog | Get-Member

You'll see, that there is a TimeGenerated property, which you can use.

Get-EventLog Security | Sort-Object -Property TimeGenerated -Descending

Furthermore I'd like to add, that that's the default order anyway. But if you want to switch the order, I recommend using Get-WinEvent instead, which has a -Oldest switch.

Get-WinEvent -LogName Security -Oldest

Matt On 02 August 2018 at 16:26

"Time" is a generated string for output purposes not a datetime object so the sorting that is happening isn't chronological but non-existent.

Looking at the DotNetTypes.format.ps1xml you will see that it is using a formatted version of the TimeGenerated property.

<TableColumnHeader>
    <Label>Time</Label>
    <Width>13</Width>
</TableColumnHeader>
...
...
<PropertyName>TimeGenerated</PropertyName>
<FormatString>{0:MMM} {0:dd} {0:HH}:{0:mm}</FormatString>

This is done to have friendlier default output with the caveat of issues like the one you are having.

So, sort-object was "working" with a null value hence the lack of visible change.

Either way use the property TimeGenerated property instead

Sort-Object having no effect on Get-EventLog

There are 2 best solutions below

Related Questions in WINDOWS

Related Questions in POWERSHELL

Related Questions in GET-EVENTLOG

Trending Questions

Popular # Hahtags

Popular Questions