Das Skript:<\/h2>\n#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n Search for specific events in Event Viewer based on the event log they were in, the source of the event, or the specific event IDs used. One of these three options is required for the search.\r\n.DESCRIPTION\r\n Search for specific events in Event Viewer based on the event log they were in, the source of the event, or the specific event IDs used. One of these three options is required for the search.\r\n.EXAMPLE\r\n -EventLogName \"Application\"\r\n \r\n Matching Events Found!\r\n\r\n LogName : Application\r\n ProviderName : Microsoft-Windows-Security-SPP\r\n Id : 16384\r\n TimeCreated : 4\/4\/2024 10:00:48 AM\r\n Message : Successfully scheduled Software Protection service for re-start at 2024-04-04T21:19:48Z. Reason: Rul...\r\n\r\n LogName : Application\r\n ProviderName : Microsoft-Windows-Security-SPP\r\n Id : 16394\r\n TimeCreated : 4\/4\/2024 10:00:17 AM\r\n Message : Offline downlevel migration succeeded.\r\n\r\n LogName : Application\r\n ProviderName : Microsoft-Windows-Security-SPP\r\n Id : 16384\r\n TimeCreated : 4\/4\/2024 9:59:59 AM\r\n Message : Successfully scheduled Software Protection service for re-start at 2024-04-04T21:19:59Z. Reason: Rul...\r\n\r\nPARAMETER: -EventLogName \"Application\"\r\n Specify the name of the Event Log from which to retrieve events.\r\n\r\nPARAMETER: -EventLogSource \"Microsoft-Windows-Kernel-General\"\r\n Determines the source of the events to retrieve.\r\n\r\nPARAMETER: -EventLogMessage \"Alert\"\r\n Filters events by the text contained in the event's message.\r\n\r\nPARAMETER: -EventIDs \"12, 13, 6008\"\r\n A comma-separated list of event IDs to include in the search.\r\n\r\nPARAMETER: -excludeEventIDs \"13\"\r\n A comma-separated list of event IDs to exclude from the search.\r\n\r\nPARAMETER: -StartDate \"12\/24\/2021\"\r\n Defines the start date and time for the event search. Events logged before this time will not be included in the results.\r\n\r\nPARAMETER: -EndDate \"12\/29\/2021\"\r\n Sets the end date and time for the event search. Events logged after this time will not be included.\r\n\r\nPARAMETER: -MultilineCustomField \"replaceMeWithAcustomFieldName\"\r\n Specify the name of a multiline custom field to optionally store the search results in. Leave blank to not set a multiline field.\r\n\r\nPARAMETER: -WysiwygCustomField \"replaceMeWithACustomFieldName\"\r\n Specify the name of a WYSIWYG custom field to optionally store the search results in. Leave blank to not set a WYSIWYG field.\r\n.NOTES\r\n Minimum OS Architecture Supported: Windows 10, Windows Server 2016\r\n Release Notes: Initial Release\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n [Parameter()]\r\n [String]$EventLogName,\r\n [Parameter()]\r\n [String]$EventLogSource,\r\n [Parameter()]\r\n [String]$EventLogMessage,\r\n [Parameter()]\r\n [String]$EventIDs,\r\n [Parameter()]\r\n [String]$ExcludeEventIDs,\r\n [Parameter()]\r\n [datetime]$StartDate,\r\n [Parameter()]\r\n [datetime]$EndDate,\r\n [Parameter()]\r\n [String]$MultilineCustomField,\r\n [Parameter()]\r\n [String]$WysiwygCustomField\r\n)\r\n\r\nbegin {\r\n # Set parameters using dynamic script variables.\r\n if ($env:eventLogName -and $env:eventLogName -notlike \"null\") { $EventLogName = $env:eventLogName }\r\n if ($env:eventLogSource -and $env:eventLogSource -notlike \"null\") { $EventLogSource = $env:eventLogSource }\r\n if ($env:eventLogMessage -and $env:eventLogMessage -notlike \"null\") { $EventLogMessage = $env:eventLogMessage }\r\n if ($env:eventIds -and $env:eventIds -notlike \"null\") { $EventIDs = $env:eventIds }\r\n if ($env:excludeEventIds -and $env:excludeEventIds -notlike \"null\") { $ExcludeEventIDs = $env:excludeEventIds }\r\n if ($env:eventStart -and $env:eventStart -notlike \"null\") { $StartDate = $env:eventStart }\r\n if ($env:eventEnd -and $env:eventEnd -notlike \"null\") { $EndDate = $env:eventEnd }\r\n if ($env:multilineCustomFieldName -and $env:multilineCustomFieldName -notlike \"null\") { $MultilineCustomField = $env:multilineCustomFieldName }\r\n if ($env:wysiwygCustomFieldName -and $env:wysiwygCustomFieldName -notlike \"null\") { $WysiwygCustomField = $env:wysiwygCustomFieldName }\r\n\r\n # Check if both StartDate and EndDate are provided and if StartDate is earlier than EndDate\r\n if (($StartDate -and $EndDate) -and $StartDate -gt $EndDate) {\r\n Write-Host -Object \"[Error] Start date cannot be earlier than end date!\"\r\n exit 1\r\n }\r\n\r\n # Verify that WysiwygField and MultiLineField are not the same, exiting with an error if they are.\r\n if ($WysiwygCustomField -and $MultilineCustomField -and ($WysiwygCustomField -eq $MultilineCustomField)) {\r\n Write-Host -Object \"[Error] Wysiwyg Field and Multiline Field are the same! Custom fields cannot be the same type.\"\r\n Write-Host -Object \"https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/18601842971789-Custom-Fields-by-Type-and-Functionality\"\r\n exit 1\r\n }\r\n\r\n # Ensure that at least one of Event ID, Event Log Name, or Event Source is provided for the query\r\n if (!$EventIDs -and !$EventLogName -and !$EventLogSource) {\r\n Write-Host -Object \"[Error] You must provide either an Event ID, Event Log Name or Event Source.\"\r\n exit 1\r\n }\r\n\r\n # Trimming trailing spaces.\r\n if ($EventLogName) {\r\n $EventLogName = $EventLogName.Trim()\r\n }\r\n\r\n # Retrieve and sort all event log names available on the system\r\n $EventLogNamesOnSystem = Get-WinEvent -ListLog * -ErrorAction SilentlyContinue | Sort-Object LogName\r\n # Check if the provided EventLogName exists in the system's event logs\r\n if ($EventLogName -and ($EventLogNamesOnSystem).LogName -notcontains $EventLogName) {\r\n # If not found, print an error message and a list of valid event log names, then exit the script\r\n Write-Host -Object \"[Error] Event Log '$EventLogName' doesn't exist! See the list below for valid event log names.\"\r\n Write-Host -Object \"### Valid Event Log Names ###\"\r\n $EventLogNamesOnSystem | Select-Object -ExpandProperty LogName | Write-Host\r\n exit 1 \r\n }\r\n\r\n $InvalidEventSourceCharacters = \"[\\\\\/<>&`\"%\\|']\"\r\n if ($EventLogSource) {\r\n if ($EventLogSource -match $InvalidEventSourceCharacters) {\r\n Write-Host -Object \"[Error] Event Log Source '$EventLogSource' contains an invalid character!\"\r\n exit 1\r\n }\r\n\r\n if ($EventLogSource.Length -gt 255) {\r\n Write-Host -Object \"[Error] Event Log Source '$EventLogSource' is too large to be an event source!\"\r\n exit 1\r\n }\r\n\r\n # Trims the event log source for trailing spaces\r\n $EventLogSource = $EventLogSource.Trim()\r\n }\r\n\r\n # Prepare a list to hold valid event IDs to search for\r\n $EventIdsToSearch = New-Object System.Collections.Generic.List[int]\r\n # Process the input event IDs, removing any that are not purely numerical\r\n if ($EventIDs -and $EventIDs -match \",\") {\r\n # If multiple event IDs are provided and separated by commas, split them\r\n $EventIDs -split \",\" | ForEach-Object {\r\n $EventId = $_.Trim()\r\n # Validate each event ID to ensure it's numerical\r\n if ($EventId -match '[a-zA-Z]|\\W') {\r\n # If not, print an error and skip adding this ID to the list\r\n Write-Host \"[Error] Event ID '$EventId' is not a valid event id. Removing it from the search.\"\r\n $ExitCode = 1\r\n return\r\n }\r\n # Check size of event id\r\n if ([long]$EventId -gt 65535 -or [long]$EventId -lt 0) {\r\n Write-Host \"[Error] Event ID '$EventId' is not a valid event id. Event ID's must be less than or equal to 65535 and greater than or equal to 0. Removing it from the search.\"\r\n $ExitCode = 1\r\n return\r\n }\r\n \r\n # Add the validated event ID to the list\r\n $EventIdsToSearch.Add($EventId)\r\n }\r\n }\r\n elseif ($EventIDs) {\r\n $EventId = $EventIDs.Trim()\r\n # Handle a single event ID input\r\n if ($EventId -match '[a-zA-Z]|\\W') {\r\n Write-Host \"[Error] Event ID '$EventId' is not a valid event id. Removing it from the search.\"\r\n $ExitCode = 1\r\n }\r\n elseif ([long]$EventId -gt 65535 -or [long]$EventId -lt 0) {\r\n Write-Host \"[Error] Event ID '$EventId' is not a valid event id. Event ID's must be less than or equal to 65535 and greater than or equal to 0. Removing it from the search.\"\r\n $ExitCode = 1\r\n }\r\n else {\r\n $EventIdsToSearch.Add($EventId)\r\n }\r\n }\r\n \r\n # Prepare a list to hold event IDs that should be excluded from the search\r\n $EventsToExclude = New-Object System.Collections.Generic.List[int]\r\n \r\n # Similar process for excluded event IDs as regular event IDs\r\n if ($ExcludeEventIDs -and $ExcludeEventIDs -match \",\") {\r\n $ExcludeEventIDs -split \",\" | ForEach-Object {\r\n $ExcludeEventId = $_.Trim()\r\n if ($ExcludeEventId -match '[a-zA-Z]|\\W') {\r\n Write-Host \"[Error] Event ID '$ExcludeEventId' is not a valid event id. Removing it from the exclusions.\"\r\n $ExitCode = 1\r\n return\r\n }\r\n \r\n if ([long]$ExcludeEventId -gt 65535 -or [long]$ExcludeEventId -lt 0) {\r\n Write-Host \"[Error] Event ID '$ExcludeEventId' is not a valid event id. Event ID's must be less than or equal to 65535 and greater than or equal to 0. Removing it from the exclusions.\"\r\n $ExitCode = 1\r\n return\r\n }\r\n \r\n $EventsToExclude.Add($ExcludeEventId)\r\n }\r\n }\r\n elseif ($ExcludeEventIDs) {\r\n $ExcludeEventId = $ExcludeEventIDs.Trim()\r\n if ($ExcludeEventId -match '[a-zA-Z]|\\W') {\r\n Write-Host \"[Error] Event ID '$ExcludeEventId' is not a valid event id. Removing it from the exclusions.\"\r\n $ExitCode = 1\r\n }\r\n elseif ([long]$ExcludeEventId -gt 65535 -or [long]$ExcludeEventId -lt 0) {\r\n Write-Host \"[Error] Event ID '$ExcludeEventId' is not a valid event id. Event ID's must be less than or equal to 65535 and greater than or equal to 0. Removing it from the exclusions.\"\r\n $ExitCode = 1\r\n }\r\n else {\r\n $EventsToExclude.Add($ExcludeEventId)\r\n }\r\n }\r\n \r\n # Check if there are any event IDs to exclude and if the list of event IDs to search for is not empty.\r\n if ($EventsToExclude.Count -gt 0 -and $EventIdsToSearch.Count -gt 0) {\r\n $EventsToExclude | ForEach-Object {\r\n # Check if the current event ID from the exclusion list is also in the list of event IDs to search for.\r\n if ($EventIdsToSearch -contains $_) {\r\n Write-Warning \"Event ID $_ has been specified for both inclusion and exclusion. It will be excluded.\"\r\n }\r\n }\r\n }\r\n \r\n # Check if there's no valid event ID, log name, or log source provided and exit if true\r\n if ($EventIdsToSearch.Count -eq 0 -and !$EventLogName -and !$EventLogSource) {\r\n Write-Host \"[Error] No valid Event ID given and no Event Log Name or Event Log Source given.\"\r\n exit 1\r\n }\r\n\r\n # Handy function to set a custom field.\r\n function Set-NinjaProperty {\r\n [CmdletBinding()]\r\n Param(\r\n [Parameter(Mandatory = $True)]\r\n [String]$Name,\r\n [Parameter()]\r\n [String]$Type,\r\n [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n $Value,\r\n [Parameter()]\r\n [String]$DocumentName\r\n )\r\n\r\n $Characters = $Value | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n if ($Characters -ge 200000) {\r\n throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded, value with $Characters characters is greater than or equal to 200,000 characters.\")\r\n }\r\n \r\n # If we're requested to set the field value for a Ninja document we'll specify it here.\r\n $DocumentationParams = @{}\r\n if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n \r\n # This is a list of valid fields that can be set. If no type is given, it will be assumed that the input doesn't need to be changed.\r\n $ValidFields = \"Attachment\", \"Checkbox\", \"Date\", \"Date or Date Time\", \"Decimal\", \"Dropdown\", \"Email\", \"Integer\", \"IP Address\", \"MultiLine\", \"MultiSelect\", \"Phone\", \"Secure\", \"Text\", \"Time\", \"URL\", \"WYSIWYG\"\r\n if ($Type -and $ValidFields -notcontains $Type) { Write-Warning \"$Type is an invalid type! Please check here for valid types. https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n \r\n # The field below requires additional information to be set\r\n $NeedsOptions = \"Dropdown\"\r\n if ($DocumentName) {\r\n if ($NeedsOptions -contains $Type) {\r\n # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.\r\n $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1\r\n }\r\n }\r\n else {\r\n if ($NeedsOptions -contains $Type) {\r\n $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1\r\n }\r\n }\r\n \r\n # If an error is received it will have an exception property, the function will exit with that error information.\r\n if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n \r\n # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.\r\n switch ($Type) {\r\n \"Checkbox\" {\r\n # While it's highly likely we were given a value like \"True\" or a boolean datatype it's better to be safe than sorry.\r\n $NinjaValue = [System.Convert]::ToBoolean($Value)\r\n }\r\n \"Date or Date Time\" {\r\n # Ninjarmm-cli expects the GUID of the option to be selected. Therefore, the given value will be matched with a GUID.\r\n $Date = (Get-Date $Value).ToUniversalTime()\r\n $TimeSpan = New-TimeSpan (Get-Date \"1970-01-01 00:00:00\") $Date\r\n $NinjaValue = $TimeSpan.TotalSeconds\r\n }\r\n \"Dropdown\" {\r\n # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.\r\n $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID\r\n \r\n if (-not $Selection) {\r\n throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown\")\r\n }\r\n \r\n $NinjaValue = $Selection\r\n }\r\n default {\r\n # All the other types shouldn't require additional work on the input.\r\n $NinjaValue = $Value\r\n }\r\n }\r\n \r\n # We'll need to set the field differently depending on if its a field in a Ninja Document or not.\r\n if ($DocumentName) {\r\n $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1\r\n }\r\n else {\r\n $CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1\r\n }\r\n \r\n if ($CustomField.Exception) {\r\n throw $CustomField\r\n }\r\n }\r\n\r\n function Test-IsElevated {\r\n $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n }\r\n\r\n if (!$ExitCode) {\r\n $ExitCode = 0\r\n }\r\n}\r\nprocess {\r\n # Check if the script is running with elevated (Administrator) privileges\r\n if (!(Test-IsElevated)) {\r\n # If not, display an error message and exit with status code 1\r\n Write-Host -Object \"[Error] Access Denied. Please run with Administrator privileges.\"\r\n exit 1\r\n }\r\n\r\n # Prepare a list to hold event log names to search for\r\n $EventLogNamesToSearch = New-Object System.Collections.Generic.List[string]\r\n\r\n # If no event log name was required we'll search all the event\r\n if (!$EventLogName) {\r\n $EventLogNamesOnSystem | Where-Object { $_.RecordCount -gt 0 } | Select-Object -ExpandProperty LogName | ForEach-Object {\r\n $EventLogNamesToSearch.Add($_)\r\n }\r\n }\r\n else {\r\n $EventLogNamesToSearch.Add($EventLogName)\r\n }\r\n\r\n # Create XML object.\r\n [xml]$XML = New-Object System.Xml.XmlDocument\r\n\r\n # Add QueryList element to xml.\r\n $QueryList = $XML.CreateElement(\"QueryList\")\r\n $QueryList = $XML.AppendChild($QueryList)\r\n\r\n # Create query element and nest it under QueryList.\r\n $Query = $XML.CreateElement(\"Query\")\r\n $Query.SetAttribute(\"Id\", \"0\")\r\n $Query = $QueryList.AppendChild($Query)\r\n \r\n\r\n # Foreach event log to search we're going to create a select element.\r\n $EventLogNamesToSearch | ForEach-Object {\r\n # We'll start each loop by selecting the query element to add to.\r\n $Query = $XML.SelectSingleNode(\"\/\/Query\")\r\n\r\n # The select element starts off with the event log to search.\r\n $Select = $XML.CreateElement(\"Select\")\r\n $Select.SetAttribute(\"Path\", \"$_\")\r\n \r\n # Reset the inner text between runnings\r\n $XMLInnerText = $Null\r\n\r\n # The inner text of each element (<Element1>InnerText<\/Element1>) will need to be built differently depending on the parameters.\r\n if ($EventLogSource) {\r\n $XMLInnerText = \"*[System[Provider[@Name='$EventLogSource']]]\"\r\n }\r\n \r\n # If we're given a select number of event id's to search we'll filter them here.\r\n if ($EventIdsToSearch.Count -gt 0) {\r\n $EventIDSearchText = $Null\r\n $EventIdsToSearch | ForEach-Object {\r\n # We may have been given one event id or more than one.\r\n if ($EventIDSearchText) {\r\n $EventIDSearchText = \"$EventIDSearchText or EventID=$_\"\r\n }\r\n else {\r\n $EventIDSearchText = \"EventID=$_\"\r\n }\r\n }\r\n\r\n # We'll replace the two ending brackets with our given search text\r\n if ($XMLInnerText) {\r\n $XMLInnerText = $XMLInnerText -replace ']]$', \" and ($EventIDSearchText)]]\"\r\n }\r\n else {\r\n $XMLInnerText = \"*[System[($EventIDSearchText)]]\"\r\n }\r\n }\r\n\r\n # If we're also asked to filter based on the date the event was created we'll create the filter text here.\r\n if ($StartDate -or $EndDate) {\r\n $DateFilter = $Null \r\n if ($StartDate) {\r\n $XMLstartDate = Get-Date $StartDate -Format \"yyyy-MM-ddTHH:mm:ss\"\r\n # PowerShell will convert the < or > symbol for us when we go to save to the xml.\r\n $DateFilter = \"@SystemTime>='$XMLstartDate'\"\r\n }\r\n\r\n # We may or may not have been given a start date.\r\n if ($EndDate -and $DateFilter) {\r\n $XMLendDate = Get-Date $EndDate -Format \"yyyy-MM-ddTHH:mm:ss\"\r\n $DateFilter = \"$DateFilter and @SystemTime<='$XMLendDate'\"\r\n }\r\n elseif ($EndDate) {\r\n $XMLendDate = Get-Date $EndDate -Format \"yyyy-MM-ddTHH:mm:ss\"\r\n $DateFilter = \"@SystemTime<='$XMLendDate'\"\r\n }\r\n\r\n # Replace the last two closing brackets and add our filter text.\r\n if($XMLInnerText){\r\n $XMLInnerText = $XMLInnerText -replace ']]$', \" and TimeCreated[$DateFilter]]]\"\r\n }else{\r\n $XMLInnerText = \"*[System[TimeCreated[$DateFilter]]]\"\r\n }\r\n }\r\n\r\n # If no filters were given (other than the event log name) we'll need to select everything in that log\r\n if(!$XMLInnerText){\r\n $XMLInnerText = \"*\"\r\n }\r\n\r\n # Save our filter text to the select statement\r\n $Select.InnerText = $XMLInnerText\r\n\r\n # Append our select statement to our xml file\r\n $Query.AppendChild($Select) | Out-Null\r\n }\r\n\r\n # Search for matching events using the XML filter\r\n $MatchingEvents = Get-WinEvent -FilterXml $XML -ErrorAction SilentlyContinue\r\n\r\n # Exclude events based on the excluded event IDs if any are specified\r\n if ($EventsToExclude.Count -gt 0) {\r\n $MatchingEvents = $MatchingEvents | Where-Object { $EventsToExclude -notcontains $_.ID }\r\n }\r\n\r\n # Exclude events that do not match the keywords you specified.\r\n if ($EventLogMessage) {\r\n $MatchingEvents = $MatchingEvents | Where-Object { $_.Message -like \"*$EventLogMessage*\" }\r\n }\r\n\r\n # If the event log message is larger than 100 characters trim it and add ...\r\n if ($MatchingEvents) {\r\n $MatchingEvents = $MatchingEvents | Select-Object LevelDisplayName, LogName, ProviderName, Id, TimeCreated, @{\r\n Name = 'Message'\r\n Expression = {\r\n $Characters = $_.Message | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n if ($Characters -gt 100) {\r\n \"$(($_.Message).SubString(0,100))(...)\"\r\n }\r\n else {\r\n $_.Message\r\n }\r\n }\r\n }\r\n\r\n # Sort the object by newest event to oldest\r\n $MatchingEvents = $MatchingEvents | Sort-Object TimeCreated -Descending\r\n }\r\n\r\n # Set a Wysiwyg custom field if any matching events are found and it was requested.\r\n if ($WysiwygCustomField -and $MatchingEvents) {\r\n try {\r\n Write-Host \"Attempting to set Custom Field '$WysiwygCustomField'.\"\r\n\r\n # Prepare the custom field output.\r\n $CustomFieldValue = New-Object System.Collections.Generic.List[string]\r\n\r\n # Convert the matching events into an html report.\r\n $htmlTable = $MatchingEvents | Select-Object -Property LevelDisplayName, LogName, ProviderName, Id, TimeCreated, Message | ConvertTo-Html -Fragment\r\n \r\n # Set color coding\r\n $htmlTable = $htmlTable -replace \"<tr><td>Verbose<\/td>\", \"<tr class=`\"other`\"><td>Verbose<\/td>\"\r\n $htmlTable = $htmlTable -replace \"<tr><td>Warning<\/td>\", \"<tr class=`\"warning`\"><td>Warning<\/td>\"\r\n $htmlTable = $htmlTable -replace \"<tr><td>Error<\/td>\", \"<tr class=`\"danger`\"><td>Error<\/td>\"\r\n $htmlTable = $htmlTable -replace \"<tr><td>Critical Error<\/td>\", \"<tr class=`\"danger`\"><td>Critical Error<\/td>\"\r\n\r\n # Remove Level Display Name\r\n $LevelDisplayNames = $MatchingEvents | Select-Object -Property LevelDisplayName -Unique\r\n $LevelDisplayNames | ForEach-Object {\r\n $htmlTable = $htmlTable -replace \"<td>$([Regex]::Escape($_.LevelDisplayName))<\/td>\"\r\n }\r\n $htmlTable = $htmlTable -replace \"<th>LevelDisplayName<\/th>\"\r\n\r\n # Add the newly created html into the custom field output.\r\n $CustomFieldValue.Add($htmlTable)\r\n\r\n # Check that the output complies with the hard character limits.\r\n $Characters = $CustomFieldValue | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n if ($Characters -ge 199500) {\r\n Write-Warning \"200,000 Character Limit has been reached! Trimming output until the character limit is satisified...\"\r\n \r\n # If it doesn't comply with the limits we'll need to recreate it with some adjustments.\r\n $i = 0\r\n do {\r\n # Recreate the custom field output starting with a warning that we truncated the output.\r\n $CustomFieldValue = New-Object System.Collections.Generic.List[string]\r\n $CustomFieldValue.Add(\"<h1>This info has been truncated to accommodate the 200,000 character limit.<\/h1>\")\r\n\r\n # The custom field information is sorted from newest to oldest. We'll remove the oldest first by flipping the array upside down.\r\n [array]::Reverse($htmlTable)\r\n # If the next entry is a row we'll delete it.\r\n if ($htmlTable[$i] -match '<tr><td>' -or $htmlTable[$i] -match '<tr class=') {\r\n $htmlTable[$i] = $null\r\n }\r\n $i++\r\n # We'll flip the array back to right side up.\r\n [array]::Reverse($htmlTable)\r\n\r\n # Add it back to the output.\r\n $CustomFieldValue.Add($htmlTable)\r\n\r\n # Check that we now comply with the character limit. If not restart the do loop.\r\n $Characters = $CustomFieldValue | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n }while ($Characters -ge 199500)\r\n }\r\n\r\n # Set the custom field.\r\n Set-NinjaProperty -Name $WysiwygCustomField -Value $CustomFieldValue\r\n Write-Host \"Successfully set Custom Field '$WysiwygCustomField'!\"\r\n }\r\n catch {\r\n Write-Host \"[Error] $($_.Exception.Message)\"\r\n $ExitCode = 1\r\n }\r\n }\r\n\r\n # Set a multiline custom field if any matching events are found and it was requested.\r\n if ($MultilineCustomField -and $MatchingEvents) {\r\n try {\r\n Write-Host \"Attempting to set Custom Field '$MultilineCustomField'.\"\r\n $CustomFieldValue = New-Object System.Collections.Generic.List[string]\r\n\r\n # We don't want to edit the matching Events array if we have to truncate later so we'll create a duplicate here.\r\n $CustomFieldList = $MatchingEvents | Select-Object -Property LogName, ProviderName, Id, TimeCreated, Message\r\n\r\n # Format the matching items into a nice list with the relevant properties.\r\n $CustomFieldValue.Add(($CustomFieldList | Format-List -Property LogName, ProviderName, Id, TimeCreated, Message | Out-String))\r\n \r\n # Check that the output complies with the hard character limits.\r\n $Characters = $CustomFieldValue | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n if ($Characters -ge 9500) {\r\n Write-Warning \"10,000 Character Limit has been reached! Trimming output until the character limit is satisified...\"\r\n \r\n # If it doesn't comply with the limits we'll need to recreate it with some adjustments.\r\n $i = 0\r\n do {\r\n # Recreate the custom field output starting with a warning that we truncated the output.\r\n $CustomFieldValue = New-Object System.Collections.Generic.List[string]\r\n $CustomFieldValue.Add(\"This info has been truncated to accommodate the 10,000 character limit.\")\r\n \r\n # The custom field information is sorted from newest to oldest. We'll remove the oldest events first by flipping the array upside down.\r\n [array]::Reverse($CustomFieldList)\r\n\r\n # Remove the next item which in this case will be the oldest item.\r\n $CustomFieldList[$i] = $null\r\n $i++\r\n\r\n # We'll flip the array back to right side up.\r\n [array]::Reverse($CustomFieldList)\r\n\r\n # Add it back to the output.\r\n $CustomFieldValue.Add(($CustomFieldList | Format-List -Property LogName, ProviderName, Id, TimeCreated, Message | Out-String))\r\n\r\n # Check that we now comply with the character limit. If not restart the do loop.\r\n $Characters = $CustomFieldValue | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n }while ($Characters -ge 9500)\r\n }\r\n\r\n Set-NinjaProperty -Name $MultilineCustomField -Value $CustomFieldValue\r\n Write-Host \"Successfully set Custom Field '$MultilineCustomField'!\"\r\n }\r\n catch {\r\n Write-Host \"[Error] $($_.Exception.Message)\"\r\n $ExitCode = 1\r\n }\r\n }\r\n\r\n # If any matching events were found output them into the activity log.\r\n if ($MatchingEvents) {\r\n Write-Host \"Matching Events Found!\"\r\n $MatchingEvents | Format-List LogName, ProviderName, Id, TimeCreated, Message | Out-String | Write-Host\r\n }\r\n else {\r\n Write-Host \"No matching events found!\"\r\n }\r\n\r\n exit $ExitCode\r\n}\r\nend {\r\n \r\n \r\n \r\n}<\/pre>\n <\/p>\n\n