EventLogQuery time format expected?

Question

EventLogQuery time format expected?

I am trying to use the EventLogQuery class to query an event log. I followed the example shown at http://msdn.microsoft.com/en-us/library/bb671200%28v=vs.90%29.aspx#Y0 .

I searched google ton but cannot find any queries with @SystemTime not hardcoded there.

Does anyone know the DateTime format I need to use for this? Everything I've tried so far has returned Invalid Query exceptions.

+6

.net

user1106686 Dec 19 '11 at 20:48

source share

4 answers

Here is another C # to initialize an EventLogQuery object that will load events for a specific date range

 var startTime = DateTime.Now.AddDays(-1); var endTime = DateTime.Now; var query = string.Format("*[System[TimeCreated[@SystemTime >= '{0}']]] and *[System[TimeCreated[@SystemTime <= '{1}']]]", startTime.ToUniversalTime().ToString("o"), endTime.ToUniversalTime().ToString("o")); var elq = new EventLogQuery("Applicaton", PathType.LogName, query);

+4

Michael kniskern Mar 29 '16 at 17:18

source share

Here's a C # example to initialize an EventLogQuery object that will only load event records from the last day.

 var yesterday = DateTime.UtcNow.AddDays(-1); var yesterdayDtFormatStr = yesterday.ToString( "yyyy-MM-ddTHH:mm:ss.fffffff00K", CultureInfo.InvariantCulture ); var query = string.Format( "*[System/TimeCreated/@SystemTime >='{0}']", yesterdayDtFormatStr ); var elq = new EventLogQuery("Application", PathType.LogName, query);

+2

Leslie davies Jan 21 '15 at 21:43

source share

XML Event

Here's an example XML with a string version of the expected date format.

 <TimeCreated SystemTime="2006-02-28T21:51:44.754Z" />

0

Bueller Dec 19 '11 at 21:01

source share

Samu lang · Accepted Answer · 2011-12-20T12:22:27+0000

EventLogQuery uses the XML format to query the event log. You can find the schema for the XML request here .

Text Select Element - An XPath expression calculated against serializing XML events.

You can find the schema for the XML event here .

The TimeCreated element has a SystemTime attribute of type dateTime , so the format of this (in your XML request) is what the XPath processor can parse as a valid dateTime (see 3.2.7.1. Lexical representation for specifics).

For example, you can try this query:

<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[TimeCreated[@SystemTime = '2011-12-20T00:42:53.000000000Z']]]</Select> </Query> </QueryList>

Which parses and returns a value if you have an event that was generated exactly on the given date and time.

Also dateDiff is a Filter XPath protocol extension function that takes one or two SYSTEMTIME arguments and returns a number, so just use the number in the expression using this function (as in your example).

PS You can use the Windows event viewer ( %windir%\system32\eventvwr.msc ) to enter and quickly evaluate the XML query XML to create custom views (Windows Vista, 7 and 2008). only):

EventLogQuery time format expected?

More articles: