问题
When retrieving events after a specific date Get-WinEvent seems to be slower than Get-EventLog:
$SourceComputer = "MyServer"
$LogName = "Security"
$StartDate = (get-date).AddMinutes(-30)
$hashquery = @{logname=$LogName; StartTime=$StartDate}
(Measure-Command -Expression {Get-WinEvent -ComputerName $SourceComputer -FilterHashTable $hashquery}).TotalSeconds
(Measure-Command -Expression {Get-EventLog -Computer $SourceComputer -LogName $Logname -After $StartDate}).TotalSeconds
Output:
Get-WinEvent: 128.8475308
Get-EventLog: 4.5299092
This seems odd since Get-WinEvent is supposed to perform better that the older Get-EventLog function. Am I doing something wrong?
回答1:
...Get-WinEvent is supposed to perform better that the older Get-EventLog...
With most parameters, this is correct. Get-WinEvent is faster than Get-EventLog, because Get-EventLog grabs the entire EventLog, then locally filters.
However, Get-WinEvent does have a few caveats, the first being -FilterHashtable which has a few bugs.
The second being that -FilterHashtable is very slow as per the bottom of the blog post cited by Ansgar Wiechers. The recommendation is to use -FilterXML
回答2:
According to this blog post, Get-EventLog seems to be significantly slower when used against remote hosts.
来源:https://stackoverflow.com/questions/16731635/why-is-get-winevent-slower-than-get-eventlog-when-getting-events-after-a-date