|
code
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
WMI Select statementSorry if this is posted in the wrong place but I could not find where to post
this. I am trying to combine 2 Select statements, they both work fine by themselves, but combined I can't get them to work. See below Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where Logfile='Security' and eventcode= '123'", "WQL",wbemFlagReturnImmediately + wbemFlagForwardOnly) How can I combine these to return both the last 24hrs and also the eventid and log I need. Thanks in advance
Show quote
Hide quote
"Bob Smith" <BobSm***@discussions.microsoft.com> wrote in message So you're saying this didn't work:news:97959DFF-74C5-416B-B430-449A55A05D49@microsoft.com... > I am trying to combine 2 Select statements, they both work fine by > themselves, but combined I can't get them to work. See below > > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent > Where > TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & > "'") > > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent > Where > Logfile='Security' and eventcode= '123'", "WQL",wbemFlagReturnImmediately > + > wbemFlagForwardOnly) > > How can I combine these to return both the last 24hrs and also the eventid > and log I need. Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "' And Logfile='Security' and eventcode= '123'", "WQL",wbemFlagReturnImmediately + wbemFlagForwardOnly) Correct, that does not work. It brings back no entries. But I know for a fact
there is an event 123 in the last few minutes as I just created one. Show quoteHide quote "Jeff Johnson [MVP: VB]" wrote: > > "Bob Smith" <BobSm***@discussions.microsoft.com> wrote in message > news:97959DFF-74C5-416B-B430-449A55A05D49@microsoft.com... > > > I am trying to combine 2 Select statements, they both work fine by > > themselves, but combined I can't get them to work. See below > > > > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent > > Where > > TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & > > "'") > > > > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent > > Where > > Logfile='Security' and eventcode= '123'", "WQL",wbemFlagReturnImmediately > > + > > wbemFlagForwardOnly) > > > > How can I combine these to return both the last 24hrs and also the eventid > > and log I need. > > So you're saying this didn't work: > > Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where > TimeWritten >= '" & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "' > And Logfile='Security' and eventcode= '123'", > "WQL",wbemFlagReturnImmediately + > wbemFlagForwardOnly) > > > "Bob Smith" <BobSm***@discussions.microsoft.com> wrote in message This works for me (you'll need to changed the logfile and eventcode in thenews:97959DFF-74C5-416B-B430-449A55A05D49@microsoft.com > Sorry if this is posted in the wrong place but I could not find where > to post this. > > I am trying to combine 2 Select statements, they both work fine by > themselves, but combined I can't get them to work. See below query) Private Sub Main() Dim sQuery As String Dim dtmStartDate As Date Dim dtmEndDate As Date Dim colItems As Object Dim objWMIService As Object Dim objEntry As Object Set objWMIService = GetObject("winmgmts:") dtmStartDate = DateAdd("h", -24, Now) dtmEndDate = Now ' always format dates in queries to avoid locale problems sQuery = "SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & _ Format$(dtmStartDate, "yyyy-mm-dd hh:nn:ss") & _ "' and TimeWritten < '" & Format$(dtmEndDate, "yyyy-mm-dd hh:nn:ss") & _ "' and Logfile='System' and eventcode= 105" ' bit flags are best combined with Or, not + Set colItems = objWMIService.ExecQuery(sQuery, "WQL", _ wbemFlagReturnImmediately Or wbemFlagForwardOnly) Debug.Print sQuery For Each objEntry In colItems Debug.Print objEntry.timewritten, objEntry.LogFile, objEntry.EventCode Next Set colItems = Nothing Set objWMIService = Nothing End Sub -- Reply to the group so all can participate VB.Net: "Fool me once..." "Bob Butler" <tiredofit@nospam.com> wrote in message I take it back... in order to get the correct date range I had to convert tonews:%23hbqjhTYFHA.3712@TK2MSFTNGP10.phx.gbl > "Bob Smith" <BobSm***@discussions.microsoft.com> wrote in message > news:97959DFF-74C5-416B-B430-449A55A05D49@microsoft.com >> Sorry if this is posted in the wrong place but I could not find where >> to post this. >> >> I am trying to combine 2 Select statements, they both work fine by >> themselves, but combined I can't get them to work. See below > > This works for me (you'll need to changed the logfile and eventcode > in the query) the format used by WMI in the query. This looks like it works for me: ' Time Zone API declarations Private Const TIME_ZONE_ID_UNKNOWN = 0 Private Const TIME_ZONE_ID_STANDARD = 1 Private Const TIME_ZONE_ID_INVALID = &HFFFFFFFF Private Const TIME_ZONE_ID_DAYLIGHT = 2 Private Type SYSTEMTIME wYear As Integer wMonth As Integer wDayOfWeek As Integer wDay As Integer wHour As Integer wMinute As Integer wSecond As Integer wMilliseconds As Integer End Type Private Type TIME_ZONE_INFORMATION bias As Long ' current offset to GMT StandardName(1 To 64) As Byte ' unicode string StandardDate As SYSTEMTIME StandardBias As Long DaylightName(1 To 64) As Byte DaylightDate As SYSTEMTIME DaylightBias As Long End Type Private Declare Function GetTimeZoneInformation Lib "kernel32" _ (lpTimeZoneInformation As TIME_ZONE_INFORMATION) As Long Private Sub Main() Dim sQuery As String Dim dtmStartDate As Date Dim dtmEndDate As Date Dim colItems As Object Dim objWMIService As Object Dim objEntry As Object Set objWMIService = GetObject("winmgmts:") dtmStartDate = DateAdd("h", -24, Now) dtmEndDate = Now sQuery = "SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & _ WMITime(dtmStartDate) & "' and TimeWritten < '" & WMITime(dtmEndDate) & _ "' and Logfile='Application'" ' and eventcode= 105" ' bit flags are best combined with Or, not + Set colItems = objWMIService.ExecQuery(sQuery, "WQL", _ wbemFlagReturnImmediately Or wbemFlagForwardOnly) Debug.Print sQuery For Each objEntry In colItems Debug.Print LocalTime(objEntry.timewritten), objEntry.LogFile, objEntry.EventCode Next Set colItems = Nothing Set objWMIService = Nothing End Sub Private Function LocalTime(ByVal WMITime As String) As Date Dim dOut As Date dOut = DateSerial(CInt(Left$(WMITime, 4)), CInt(Mid$(WMITime, 5, 2)), CInt(Mid$(WMITime, 7, 2))) + _ TimeSerial(CInt(Mid$(WMITime, 9, 2)), CInt(Mid$(WMITime, 11, 2)), CInt(Mid$(WMITime, 13, 2))) LocalTime = dOut 'DateAdd("n", CLng(Mid$(WMITime, 22)), dOut) End Function Private Function WMITime(ByVal LocalTime As Date) As String Dim dTime As Date WMITime = Format$(LocalTime, "yyyymmddhhnnss") & ".000000" & _ Format$("+000", -GMTOffset) End Function Private Function GMTOffset() As Long Dim uTZI As TIME_ZONE_INFORMATION Select Case GetTimeZoneInformation(uTZI) ' if not daylight assume standard Case TIME_ZONE_ID_DAYLIGHT: GMTOffset = uTZI.bias + uTZI.DaylightBias Case Else: GMTOffset = uTZI.bias + uTZI.StandardBias End Select End Function -- Reply to the group so all can participate VB.Net: "Fool me once..." |
|||||||||||||||||||||||
Other interesting topics