I need to pull a particular number from the output of this command:
Get-EventLog "application" | Where-Object {$_.EventID -eq 6006}
Sample output is:
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
18297 May 15 18:49 Warning Wlclntfy 2147489654 The winlogon notification subscriber <Profiles> took 60 second(s) to handle the notification event (Logon).
11788 Jan 31 08:11 Warning Wlclntfy 2147489654 The winlogon notification subscriber <Profiles> took 68 second(s) to handle the notification event (Logon).
5794 Oct 16 09:41 Warning Wlclntfy 2147489654 The winlogon notification subscriber <Sens> took 225 second(s) to handle the notification event (Logoff).
5596 Oct 11 08:03 Warning Wlclntfy 2147489654 The winlogon notification subscriber <Profiles> took 69 second(s) to handle the notification event (Logon).
2719 Aug 30 07:50 Warning Wlclntfy 2147489654 The winlogon notification subscriber <Profiles> took 65 second(s) to handle the notification event (Logon).
What I actually need to do is pull the number of seconds reported by the <Profiles> events, and pull out the largest one. I've gotten as far as figuring out (?<=<Profiles> took )(\d+) will work to pull just the numbers I need, but I'm not sure how to proceed to actually extract them. I've tried piping it to Select-String -pattern, but that just returns nothing at all.
You want the $matches builtin variable. $matches[0] is the text that matched the regexp, and $matches[1] .. $matches[n] are the matched parenthetical expressions (if there were any).
Sadly I don't have any EventID=6006 on my machine so I'm doing this without testing, but this should select the last item from the sorted list of seconds:
Get-EventLog "application" |
Where-Object {$_.EventID -eq 6006} |
Where-Object { $_.Message -match "<Profiles> took (\d*) second" } |
foreach { [int]$matches[1] } |
sort |
select -last 1
You can get the value(s) without regex. Take a look at the ReplacementStrings property of the event. It contains an array that holds the replacement strings stored in the event entry.
PS> $event.ReplacementStrings
Profiles
71
Logon
Based on that you could use array indexing to get the values you're after.
Get-EventLog application |
Where-Object {$_.EventID -eq 6006 -and $_.ReplacementStrings -eq 'Profiles'} |
Foreach-Object { $_.ReplacementStrings[1] }
Related
I have more than 1100 Windows devices registered on Intune, some users had their laptop replaced, however the device replaced was not deleted. How can I generate a list of UPN that contains more than 1 device? I will need this check this list and then remove it from On-Prem AD, AAD, Intune.
I was trying to create a PowerShell script, but I am not finding a way to do that.
$intuneDevices = Get-IntuneManagedDevice | Get-MSGraphAllPages
$windevices = $intuneDevices | Where-Object { $.operatingSystem -eq "Windows" }
$windevices | **Where-Object {$.userPrincipalName -ge '1'}* | Select DeviceName, userPrincipalName
*
I am not sure exactly how I can bring userPrincipalName with more than 1 device.
I hope it make sense and someone can help
Thanks in advance
TZ
I generate events on multiple computers that list service names that aren't running. I want to make a chart that displays the top offending service names.
I can use the following to get a table for the dashboard:
ComputerName="*.ourDomain.com" sourcetype="WinEventLog:Application" EventCode=7223 SourceName="internalSystem"
| eval Date_Time=strftime(_time, "%Y-%m-%d %H:%M")
| table host, Date_Time, Message, EventCode
Typical Message(s) will contain:
The following services were not running after 5603 seconds and a start command has been sent:
Service1
Service2
The following services were not running after 985 seconds and a start command has been sent:
Service2
Service3
Using regex I can make a named group of everything but the first line with (?<Services>((?<=\n)).*)
However, I don't think this is the right approach as I don't know how to do a valuation for the chart with this information.
So in essence, how do I grab and tally service names from messages in Splunk?
Edit 1:
Coming back to this after a few days.
I created a field extraction called "Services" with regex that grabs the contents of each message after the first line.
If I use | stats count BY Services it counts each message as a whole instead of the lines inside. The results look like this:
Service1 Service2 | Count: 1
Service2 Service3 | Count: 1
My intention is to have it treat each line as its own value so the results would look like:
Service1 | Count: 1
Service2 | Count: 2
Service3 | Count: 1
I tried | mvexpand Services but it didn't change the output so I assume I'm either using it improperly or it's not applicable here.
I think you can do it with the stats command.
| stats count by service
will give a number of appearances for each service. You then can choose the bar chart visualization to create a graph.
I ended up using split() and mvexpand to solve this problem.
This is what worked in the end:
My search
| eval events=split(Service, "
")
| mvexpand events
| eval events=replace(events, "[\n\r]", "")
| stats count BY events
I had to add the replace() method because any event with just one service listed was being treated differently from an event with multiple, after the split on an event with multiple services each service had a carriage return, hence the replace.
My end result dashboard chart:
For Chart dropping down that is clean:
index="yourIndex" "<searchCriteria>" | stats count(eval(searchmatch("
<searchCriteria>"))) as TotalCount
count(eval(searchmatch("search1"))) as Name1
count(eval(searchmatch("search2" ))) as Name2
count(eval(searchmatch("search3"))) as Name3
| transpose 5
| rename column as "Name", "row 1" as "Count"
Horizontal table example with percentages:
index=something "Barcode_Fail" OR "Barcode_Success" | stats
count(eval(searchmatch("Barcode_Success"))) as SuccessCount
count(eval(searchmatch("Barcode_Fail"))) as FailureCount
count(eval(searchmatch("Barcode_*"))) as Totals | eval
Failure_Rate=FailureCount/Totals |eval Success_Rate=SuccessCount/Totals
On a high level I wrote a lambda that notifies slack when there's an error or not.
From an aws tool-chain perspective, the tech design looks like this:
Acceptance Criteria (in BDD style)
Scenario: As an engineer I want to get notified if my lambda PASSED or FAILED whenever it executes
Given I have a lambda function that runs on a schedule (9am everyday)
Given I have a metric filter that looks for the string "error" in the logs
And I created an alarm that does the following:
# +------------------------+--------------+
# | ALARM |
# +------------------------+--------------+
# | Statistic | Sum |
# | Period | 5 minutes |
# | Threshold type | Static |
# | Alarm condition | >= threshold |
# | Threshold value | 1 |
# | Datapoints to Alarm | 1 of 1 |
# | missing data treatment | ignore |
# | Alarm State | in Alarm |
# +------------------------+--------------+
And I created another alarm that does the following:
# +------------------------+--------------+
# | OK |
# +------------------------+--------------+
# | Statistic | Sum |
# | Period | 5 minutes |
# | Threshold type | Static |
# | Alarm condition | <= threshold |
# | Threshold value | 1 |
# | Datapoints to Alarm | 1 of 1 |
# | missing data treatment | good |
# | Alarm State | OK |
# +------------------------+--------------+
Then EVERY TIME time my function executes without "error" Then I should get "OK"
Then EVERY TIME time my function executes with "error" then I should get "ALARM"
The actual behavior is it will send out a notification only ONCE, and it will only send again when the alarm type changes i.e.
ALARM -> OK
OK -> ALARM
I don't seem to get notifications for this pattern
ALARM -> ALRM
OK -> OK
Ideally I want to receive a notification every time function executes
There’s no need to use a CloudWatch alarm. If you want one message every time the Lambda executes, you should just publish the SNS message as the last thing inside your Lambda function.
try {
// existing code goes here...
snsClient.publish("my-chatbot-topic", "Some success message");
} catch (Exception e) {
snsClient.publish("my-chatbot-topic", "Some error message");
// rethrow the exception so that the lambda still fails for this
throw e;
}
As per AWS documentations:
Alarms invoke actions for sustained state changes only. CloudWatch
alarms don't invoke actions simply because they are in a particular
state, the state must have changed and been maintained for a specified
number of periods.
One solution is to stream the CW logs to a lambda function that sends the SNS messages.
With a fast search I found this code that does exactly this (I didn't try myself): https://github.com/codemonauts/aws-cloudwatch-stream-filter-sns-gateway
Hi all is there a way we can show progress bar for 10 minutes with statistics of percentage completed how much time remaining for 10 Minutes? using Write-Progress.
If I understand the question correctly the goal is to show some additional
information in the progress messages. This can be done for example by using the
Activity parameter. The script below only shows the idea (for 1 minute, for a
shorter test). It should be modified in order to reflect actually needed format
of the message and information to be shown.
$time = 60 # seconds, use you actual time in here
foreach($i in (1..$time)) {
$percentage = $i / $time
$remaining = New-TimeSpan -Seconds ($time - $i)
$message = "{0:p0} complete, remaining time {1}" -f $percentage, $remaining
Write-Progress -Activity $message -PercentComplete ($percentage * 100)
Start-Sleep 1
}
The progress looks like this:
57 % complete, remaining time 00:00:26
Processing
[oooooooooooooooooooooooooooooooooooooooooooooooooooooo
I'm writing C++ code in OPNET Modeler.
I try to simulate my scenario in debugger mode & I need to trace the function that I wrote it. I need to show print statements which I put it in my code.
I used in debugger mode: ***ltr function_name()*** then ***c***
But the result looks like:
Type 'help' for Command Summary
ODB> ltr enqueue_packet()
Added trace #0: trace on label (enqueue_packet())
ODB> c
|-----------------------------------------------------------------------------|
| Progress: Time (1 min. 52 sec.); Events (500,002) |
| Speed: Average (82,575 events/sec.); Current (82,575 events/sec.) |
| Time : Elapsed (6.1 sec.) |
| DES Log: 28 entries |
|-----------------------------------------------------------------------------|
|-----------------------------------------------------------------------------|
| Progress: Time (1 min. 55 sec.); Events (1,000,002) |
| Speed: Average (69,027 events/sec.); Current (59,298 events/sec.) |
| Time : Elapsed (14 sec.) |
| DES Log: 28 entries |
|-----------------------------------------------------------------------------|
|-----------------------------------------------------------------------------|
| Progress: Time (1 min. 59 sec.); Events (1,500,002) |
| Speed: Average (51,464 events/sec.); Current (34,108 events/sec.) |
| Time : Elapsed (29 sec.) |
| DES Log: 28 entries |
|-----------------------------------------------------------------------------|
|-----------------------------------------------------------------------------|
| Simulation Completed - Collating Results. |
| Events: Total (1,591,301); Average Speed (48,803 events/sec.) |
| Time : Elapsed (33 sec.); Simulated (2 min. 0 sec.) |
| DES Log: 29 entries |
|-----------------------------------------------------------------------------|
|-----------------------------------------------------------------------------|
| Reading network model. |
|-----------------------------------------------------------------------------|
I need to show the print statements in my code.
Where it has to be appeared?
Is there any step before run the simulation to insure that OPNET debugger using Visual Studio & go through my code??
OPNET Modeler provides the following commands to print trace output:
op_prg_odb_print_major() Prints a sequence of strings to the standard output device, in the format of ODB trace statements starting at the major indentation level.
op_prg_odb_print_minor() Prints a sequence of strings to the standard output device, in the format of ODB trace statements at the minor indentation level.
op_prg_text_output() Prints a sequence of user-defined strings to the standard output device.
For example:
if (op_prg_odb_ltrace_active ("tcp_window")) {
/* a trace is enabled, output Window-Related Variables */
char str0[128], str1[128], str2[128];
sprintf (str0, "rcv requests pending : (%d)", num_rcvs_allowed);
sprintf (str1, "local receive window : (%d)", receive_window);
sprintf (str2, "remote receive window : (%d)", remote_window);
op_prg_odb_print_major ("Window-Related Variables", str0, str1, str2, OPC_NIL);
sprintf (str0, "send unacked : (%d)", send_unacked);
sprintf (str1, "send_next : (%d)", send_next);
sprintf (str2, "receive next : (%d)", receive_next);
op_prg_odb_print_minor (str0, str1, str2, OPC_NIL);
}
Example output as it appears on the standard output device:
| Window-Related Variables
| rcv requests pending : (3)
| local receive window : (6400)
| remote receive window : (10788)
| send unacked : (4525)
| send_next : (5000)
| receive_next : (1200)
[Code taken from OPNET Modeler documentation.]
Note: I am guessing that you are modifying the standard models and are using the stdmod Repository. If this is the case, your code is not being compiled and you will not see any print statements in the debugger. See preference "Network simulation Repositories" to see if you are using a repository instead of compiling your own code.
I don't have much idea about what your trying to do , but i think you can output statements directly to a debugger for C++ code using
OutputDebugStringA("Your string here");
or just
OutputDebugString("Your string here");
Hope this helps!