WQL - EVENT QUERY

WMI EVENT QUERY

 

EVENT-WQL = “SELECT” <PROPERTY-LIST> “FROM” /
<EVENT-CLASS-NAME> <OPTIONAL-WITHIN> <EVENT-WHERE>

OPTIONAL-WITHIN = ["WITHIN" <INTERVAL>]
INTERVAL = 1*DIGIT
EVENT-WHERE = ["WHERE" <EVENT-EXPR>]

EVENT-EXPR = ( (<INSTANCE-STATE> “ISA” <CLASS-NAME> <EXPR2>) /
< EXPR> )
["GROUP WITHIN" <INTERVAL>
( ["BY" [<INSTANCE-STATE> DOT] <PROPERTY-NAME>]
["HAVING" <EXPR>]] )
INSTANCE-STATE = “TARGETINSTANCE” / “PREVIOUSINSTANCE”

 

 

WITHIN

SELECT * FROM eventclass WITHIN interval  WHERE property = value

 

GROUP

SELECT * FROM EventClass [WHERE property = value] GROUP WITHIN interval

#Build a WMI query for receiving an event$query= "Select * from __instanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' ANDTargetInstance.EventCode=1980 GROUP WITHIN 300"#Register the eventRegister-WmiEvent-Query $query -Action {Write-Host"Eventlog Arrived" }

 

HAVING

#Build a WMI query for receiving an event$query= "Select * from __instanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' ANDTargetInstance.EventCode=1980 GROUP WITHIN 300 HAVING NumberOfEvents > 10"#Register the eventRegister-WmiEvent -Query $query -Action {Write-Host"Eventlog Arrived" }

SELECT * FROM EventClass [WHERE property = value]
GROUP WITHIN interval HAVING NumberOfEvents operator constant

 

BY

SELECT * FROM EventClass [WHERE property = value]
GROUP WITHIN interval [BY property_list]

#Build a WMI query for receiving an event$query= "Select * from __instanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' `                                                GROUP WITHIN 300 BY TargetInstance.SourceName `                                                HAVING NumberOfEvents > 10"#Register the eventRegister-WmiEvent-Query $query -Action {Write-Host"Eventlog Arrived" }