question

Joachim-3513 avatar image
0 Votes"
Joachim-3513 asked Joachim-3513 answered

Powershell 5.1: show simple progress in a pipe

I use this command to find EventID 4625 (bad logons) on my domain controlers:

Get-EventLog -ComputerName $server -LogName 'security' -InstanceId 4625 | select @{Label='Time';Expression={$.TimeGenerated.ToString('g')}}, @{Label='User Name';Expression={$.replacementstrings[5]}}, @{Label='Client Name';Expression={$.replacementstrings[13]}}, @{Label='Client Address';Expression={$.replacementstrings[19]}} | Export-Csv $path\4625_$server.csv -NoTypeInformation -Delimiter ";"

Since this can run for a very long time I would like to have a very simple progress report. Like writing an "." for every event entry it finds. But everything I came up with messes up the export to csv. Any ideas?

windows-server-powershell
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

6 Answers

RichMatheisen-8856 avatar image
1 Vote"
RichMatheisen-8856 answered

Before adding any progress indicator I think you'd do yourself a huge favor by switching to the Get-WinEvent cmdlet and let the target system do the search instead of having Get-EventLog return a huge number of events to be filtered locally.

 Get-WinEvent -FilterHashtable @{LogName="Security";ID=4625} -ComputerName $server

Here's one link that uses the same criteria as your example: better-event-logs-with-powershell

If all you want as a progress indicator then pipe the results into a ForEach-Object and use "Write-Host '.' -NoNewline" followed by whatever data extraction you'd like.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Joachim-3513

I can recommend:

1- Progress bar: using https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/write-progress?view=powershell-7.2
https://devblogs.microsoft.com/scripting/add-a-progress-bar-to-your-powershell-script/

2- Show verbose results for each finding: https://devblogs.microsoft.com/scripting/use-powershell-to-write-verbose-output/

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joachim-3513 avatar image
0 Votes"
Joachim-3513 answered RichMatheisen-8856 commented

Thank you for your suggestions. I know both methods, but imho they dont work as part of a pipe (where in the end i export to a csv)

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

Your opinion is misinformed!

This produces 10 "dots" on the console and a CSV with one column named "Count" and ten rows holding the numbers 1 through 10.

 1..10 | ForEach-Object {Write-Host "." -NoNewline; [pscustomobject]@{Count=$_ }} | export-csv c:\junk\count.csv -NoTypeInformation
0 Votes 0 ·
Joachim-3513 avatar image
0 Votes"
Joachim-3513 answered Joachim-3513 commented

I try to clarify it: what I would need is to execute a pipe and WHILE the pipe is running, regardless what it is doing, to output something on the screen every second, so the user knows: this script is still doing something.

Example
Searching for Event I 1234
................................ (<< THIS is what I want to see while the pipe is running)
Done

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

If you're expecting to see your 'progress' indicator while Get-EventLog searching for something that's not gonna happen (at least not easily). But once Get-EventLog starts returning the items it finds then you can start showing the progress indicator output.

This "waiting" is why I suggested using the new Get-WinEvent. That makes the search happen on the target machine and it is much faster.

1 Vote 1 ·
RichMatheisen-8856 avatar image RichMatheisen-8856 ·

I suppose you could place the Get-WinEvent in a script block and run it using Start-Job. Then run Get-Job in a loop with a small Start-Sleep interval until the job is finished.

1 Vote 1 ·
Joachim-3513 avatar image Joachim-3513 RichMatheisen-8856 ·

That's the solution to my question, thank you :)

0 Votes 0 ·
joseantoniosilva avatar image
0 Votes"
joseantoniosilva answered Joachim-3513 commented

@RichMatheisen-8856 is right. Progress bars depend on a reference percentage. If you are doing a search like this, you can't have a real progress because you can calculate how many records you will find.

If what you want is a signal of what already was found, just pipe the results into a simple dot as already proposed. Just keep piping out the current $_ to make sure you can get the results to the next command


 Get-WinEvent -FilterHashtable @{LogName="Security";ID=4625} -ComputerName $server |
     %{  Write-Host "." -NoNewline; $_ } | export-csv c:\junk\count.csv -NoTypeInformation


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joachim-3513 avatar image Joachim-3513 ·

I was not looking for a progress bar, I asked for a "this script is still alive" message.

@RichMatheisen-8856 provided the solution: "Place the Get-WinEvent in a script block and run it using Start-Job. Then run Get-Job in a loop with a small Start-Sleep interval until the job is finished."

Sadly I cant mark this as an answer.

0 Votes 0 ·
Joachim-3513 avatar image
0 Votes"
Joachim-3513 answered

@RichMatheisen-8856 provided the solution: "Place the Get-WinEvent in a script block and run it using Start-Job. Then run Get-Job in a loop with a small Start-Sleep interval until the job is finished."

Thank you :)

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.