Menu
I have two select statements here. The "headings" from the first (message, username,timegenerated) are being used for the second (username,timegenerated).
Please look at the echo statement to see that the tables\outputs are being merged into one.
Can anyone explain why?
This needs to be run in a ps1 script to see the weirdness:
$before = get-date
$after = (get-date).AddDays(-1)
$a = Get-EventLog System -Before $before -After $after | ? {$_.Message -like "*start*"}
$a | select message, username,timegenerated
echo "----going through security----"
$b = Get-Eventlog security -Before $before -After $after |?{$_.category -match "Logon/Logoff" }
$b | select username,timegenerated
The output is this:
Message UserName TimeGenerated
------- -------- -------------
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 22/09/2011 09:32:09
The Engine service was successfully sent a star... NT AUTHORITY\SYSTEM 21/09/2011 16:03:57
The Licensing Service service was successfu... DOMAIN\username 21/09/2011 15:58:12
----going through security----
DOMAIN\9876ABC$ 22/09/2011 14:05:41
DOMAIN\9876ABC$ 22/09/2011 14:04:58
DOMAIN\9876ABC$ 22/09/2011 14:03:40
DOMAIN\9876ABC$ 22/09/2011 14:02:57
NT AUTHORITY\LOCAL SERVICE 22/09/2011 14:01:59
973
Looks like a formatting issue, the following seems to work as expected though:
$before = get-date
$after = (get-date).AddDays(-1)
$a = Get-EventLog System -Before $before -After $after | ? {$_.Message -like "*start*"}
$a | select message, username,timegenerated | format-table -force
echo "----going through security----"
$b = Get-Eventlog security -Before $before -After $after |?{$_.category -match "Logon/Logoff" }
$b | select username,timegenerated | format-table -force
Additionally, this definitely looks like a bug concerning the output of multiple custom psobjects (created above as a result of doing the selects).
The following code explicitly creates a separate PSObject for each query result and returns the same results as your code (i.e. only one set of headings):
$before = get-date
$after = (get-date).AddDays(-1)
$a = Get-EventLog System -Before $before -After $after | ? {$_.Message -like "*start*"}
$a = $a | `
% {New-Object PSObject -Property `
@{Message = $_.message; Username = $_.username; Timegenerated = $_.timegenerated}
}
$a
echo "----going through security----"
$b = Get-Eventlog security -Before $before -After $after |?{$_.category -match "Logon/Logoff" }
$b = $b | `
% {New-Object PSObject -Property `
@{Username = $_.username; Timegenerated = $_.timegenerated}
}
$b
Run this in PS_ISE and execute:
$a | gm
$b | gm
You can see that they are distinct objects with different properties. Things get even weirder if you don't use the same key names between objects; look at the results returned if we change:
$b = $b | `
% {New-Object PSObject -Property `
@{Username = $_.username; Timegenerated = $_.timegenerated}
}
to:
$b = $b | `
% {New-Object PSObject -Property `
@{UsernameB = $_.username; TimegeneratedB = $_.timegenerated}
}
For those with no will to run this, it returns whitespace where the security result set should be. Running Get-Member again shows two custom objects, each with it's own properties.
It's probably worth logging this with Microsoft Connect although it looks like PSCustomObjects might be getting an overhaul in v3, see here.
75
This is a function of PowerShell's console output. When you output the first set of objects, you set the format for all subsequent objects. Everything following will be presented as a continuous stream of objects within the same table and publishing the same properties.
If you emit $a in one run and $b in a completely different run, you'll see you've really got two distinct sets of objects. You're just seeing a console formatting issue here.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
