{"id":3234,"date":"2013-07-15T00:01:00","date_gmt":"2013-07-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/07\/15\/use-powershell-and-a-filter-hash-table-to-speed-boot-trace\/"},"modified":"2013-07-15T00:01:00","modified_gmt":"2013-07-15T00:01:00","slug":"use-powershell-and-a-filter-hash-table-to-speed-boot-trace","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-and-a-filter-hash-table-to-speed-boot-trace\/","title":{"rendered":"Use PowerShell and a Filter Hash Table to Speed Boot Trace"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using a filter hash table with Windows PowerShell to speed up boot trace parsing.<\/span><\/p>\n

\"Hey, Hey, Scripting Guy! I don’t get it. You wrote a script yesterday, and said that the performance was bad. You suggested that you could improve the performance, but then you did not do anything about it. Why? Is it that the technique is too hard and you want to avoid work? This is disheartening to know if it is true. How about you throw us a bone so we can feed that dog of a script you wrote.<\/p>\n

—AB<\/p>\n

\"Hey, Hello AB,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Well, this morning I am sipping a cup of Darjeeling tea with a bit of lemon grass, crushed cinnamon stick, and a half spoonful of spearmint. The spearmint heightens the flavor, without overpowering it. The effect is quite soothing.<\/p>\n

AB, I am sorry you feel like I am sloughing off by not improving the performance of my previous script. It worked for me, and that was my primary concern. In addition, I have written quite a bit about improving the performance of event trace queries. The best post is How to Improve the Performance of a PowerShell Event Log Query<\/a>. To test the efficacy of my changes, I use the Test-TwoScripts.ps1 script that I talked about in How Can I Test the Efficacy of My Script Modifications?<\/a><\/p>\n

Note<\/strong>  This post is a continuation of Use PowerShell to Get Boot-Up Trace Events<\/a>.<\/p>\n

Using the FilterHashTable parameter<\/h2>\n

Sometimes, making a small change results in huge time savings. This script is an example. Using the FilterHashTable<\/strong> <\/em>parameter is nearly always a good idea when it comes to filtering via the Get-WinEvent<\/strong> cmdlet. The key is a hash table—not surprising really. The hash table is used to filter—once again, no surprise.<\/p>\n

A hash table has the “key = value” type of syntax. Therefore, the only thing that needs to be clarified is what can I use for a key? Luckily, these are well documented in the online Help for Get-WinEvent<\/a>. Key pair values for the FilterHashTable<\/strong> <\/em>parameter need to be one of the following:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

    Key<\/strong><\/p>\n<\/td>\n

\n

    Value Data Type<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

     LogName<\/p>\n<\/td>\n

\n

    <String[]><\/p>\n<\/td>\n<\/tr>\n

\n

    ProviderName<\/p>\n<\/td>\n

\n

    <String[]><\/p>\n<\/td>\n<\/tr>\n

\n

    Path<\/p>\n<\/td>\n

\n

    <String[]><\/p>\n<\/td>\n<\/tr>\n

\n

    Keywords<\/p>\n<\/td>\n

\n

    <Long[]><\/p>\n<\/td>\n<\/tr>\n

\n

    ID<\/p>\n<\/td>\n

\n

    <Int32[]><\/p>\n<\/td>\n<\/tr>\n

\n

    Level<\/p>\n<\/td>\n

\n

    <Int32[]><\/p>\n<\/td>\n<\/tr>\n

\n

    StartTime<\/p>\n<\/td>\n

\n

    <DateTime><\/p>\n<\/td>\n<\/tr>\n

\n

    EndTime<\/p>\n<\/td>\n

\n

    <DataTime><\/p>\n<\/td>\n<\/tr>\n

\n

    UserID<\/p>\n<\/td>\n

\n

    <SID><\/p>\n<\/td>\n<\/tr>\n

\n

    Data<\/p>\n<\/td>\n

\n

    <String[]><\/p>\n<\/td>\n<\/tr>\n

\n

    *<\/p>\n<\/td>\n

\n

    <String[]><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Using FilterHashTable for a filter<\/h2>\n

The first thing to keep in mind when using the <\/span>FilterHashTable<\/strong> parameter for a filter is that when you use it, you must include the name of the log. This is because the parameter set that contains <\/span>FilterHashTable<\/strong> does not also include <\/span>LogName<\/strong>. The parameter set that includes <\/span>LogName<\/strong> does not include the <\/span>FilterHashTable<\/strong> parameter. These sets are shown here:<\/span><\/p>\n

LogName<\/strong>:<\/p>\n

Get-WinEvent [[-LogName] <String[]>] [-ComputerName <String>] [-Credential<\/p>\n

<PSCredential>] [-FilterXPath <String>] [-Force [<SwitchParameter>]]<\/p>\n

[-MaxEvents <Int64>] [-Oldest [<SwitchParameter>]] [<CommonParameters>]<\/p>\n

FilterHashTable<\/strong>:<\/span><\/p>\n

Get-WinEvent [-FilterHashtable] <Hashtable[]> [-ComputerName <String>]<\/p>\n

[-Credential <PSCredential>] [-Force [<SwitchParameter>]] [-MaxEvents <Int64>]<\/p>\n

[-Oldest [<SwitchParameter>]] [<CommonParameters>]<\/p>\n

So by using the previous table, I can easily modify the <\/span>Foreach<\/strong> portion of my script. Here is the original script:<\/span><\/p>\n

Get-WinEvent -LogName $log.Logname -ea 0 |<\/p>\n

  where {$_.timecreated -gt $bootTime -and $_.timecreated -lt $bootTime.AddMinutes(5)}<\/p>\n

Here is the modified script:<\/p>\n

Get-WinEvent -ea 0 -filterHashTable @{<\/p>\n

    LogName = $log.Logname;<\/p>\n

    StartTime = $bootTime;<\/p>\n

    EndTime = $bootTime.AddMinutes(5)}<\/p>\n

Not only does the script run a lot faster, but the FilterHashTable<\/strong> script is easier to read. Here is the complete, revised script:<\/p>\n

$bootTime = (Get-CimInstance win32_Operatingsystem).lastbootuptime<\/p>\n

“Boot time is $($bootTime)”<\/p>\n

Foreach($log in Get-WinEvent -ListLog *)<\/p>\n

 {<\/p>\n

  “Events from $($log.Logname) event log”<\/p>\n

    Get-WinEvent -ea 0 -filterHashTable @{<\/p>\n

    LogName = $log.Logname;<\/p>\n

    StartTime = $bootTime;<\/p>\n

    EndTime = $bootTime.AddMinutes(5)}<\/p>\n

  } <\/p>\n

Tracking the changes<\/h2>\n

So how did the changes do? Well, the original script took an average of 595 seconds to complete—that is nearly 10 minutes. The revised script took an average of 10 seconds to run!<\/p>\n

\"Image<\/a><\/p>\n

And it did not take all that long to make the change. In fact, it took me less than three minutes to change it. The cool part is that the change took less than half the time it took for the script to run. Bottom line, do not be afraid of FilterHashTable<\/strong>. Use it all the time. Filter to the left of the pipeline, not to the right of the pipeline.<\/p>\n

AB, that is all there is to using the FilterHashTable<\/strong> parameter to improve the performance of a Windows PowerShell event script. Join me tomorrow when I will talk about other cool Windows PowerShell stuff.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using a filter hash table with Windows PowerShell to speed up boot trace parsing.  Hey, Scripting Guy! I don’t get it. You wrote a script yesterday, and said that the performance was bad. You suggested that you could improve the performance, but then you did not do […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,60,3,4,45],"class_list":["post-3234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-performance","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using a filter hash table with Windows PowerShell to speed up boot trace parsing.  Hey, Scripting Guy! I don’t get it. You wrote a script yesterday, and said that the performance was bad. You suggested that you could improve the performance, but then you did not do […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=3234"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/3234\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=3234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=3234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=3234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}