Good day. I’m trying to filter logs with get-winevent. When I working with local

Question

0

Asked: May 29, 20262026-05-29T15:21:45+00:00 2026-05-29T15:21:45+00:00

Good day. I’m trying to filter logs with get-winevent. When I working with local

0

Good day.
I’m trying to filter logs with get-winevent. When I working with local logs as security, system etc. all is ok. StartTime work correctly.

$yesterday = (get-date) - (new-timespan -day 1) 
$a = get-winevent -FilterHashTable @{LogName='system'; StartTime=$yesterday}

When I try to use this command with “forwarded events” there is error: “Get-WinEvent : No events were found that match the specified selection criteria.” Problem with “StartTime” and “EndTime” only.

Anyone knew where is the problem?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-29T15:21:46+00:00

For these types of logs you need to use an xpath query, which is complicated.

$query=@"
<QueryList>
  <Query Id='0' Path='Microsoft-Windows-Dhcp-Client/Admin'>
    <Select Path='Microsoft-Windows-Dhcp-Client/Admin'>*[System[TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select>
  </Query>
</QueryList>
"@

get-winevent -LogName Microsoft-Windows-Dhcp-Client/Admin -FilterXPath $query

I don’t have anything in ForwardedEvents so I used a different log. The best thing to do is use EventViewer to build your query then copy and paste the XML. You’ll most likely need to fiddle with quote characters.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Good day. I’m trying to filter logs with get-winevent. When I working with local

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply