Powershell, -filterhashtable, and operators

Question

I'm filtering event log entries using the "Get-Winevent" cmdlet. I want to get events whose levels are less than 4 (or where LevelName isn't "Informational").

I use the -filterhashtable flag to filter the events. But is there a way to do comparisons with filterhashtable? Or just put a "not"? Or does filterhashtable only accept "=" as an operator?

These two snippets work and get the same results:

where-object

$events = Get-WinEvent -computer ServerName -LogName System | Where-Object {$_.level -lt 4}

-filterhashtable

$events = Get-WinEvent -computer ServerName -FilterHashTable @{LogName = 'System'; Level = 1}
$events += Get-WinEvent -computer ServerName -FilterHashTable @{LogName = 'System'; Level = 2}
$events += Get-WinEvent -computer ServerName -FilterHashTable @{LogName = 'System'; Level = 3}

The second snippet runs much faster than the first snippet (2 minutes versus 16 seconds in one case). As I understand it, "where-object" has to wait until "Get-WinEvent" has gotten every event object (possibly thousands). Adding "-filterhashtable" causes the target system's event log to filter before it gives the event object ot Get-WinEvent, which is much faster.

Can I combine the statements? These snippets don't work:

$events = Get-WinEvent -computer ServerName -FilterHashTable @{LogName = 'System'; Level < 4}
$events = Get-WinEvent -computer ServerName -FilterHashTable @{LogName = 'System'; Level != 2}

The "Level" properties is type "int[32]" so a comparison operator should work. In fact, it does work with "where-object". But it doesn't work with the "-filterhashtable" flag. Is there no way to do that sort of comparison? Is "=" the only operator -filterhashtable accepts?

Answer 1

No dice on operators like that. The FilterXPath parameter supports that. However the help on the FilterHashtable parameter indicates it takes an array of int, so it would accept:

... -FilterHashtable @{LogName='System';Level=0,1,3}