![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/A> \nHey, KM. Well, as it turns out WMI doesn\u2019t have<\/I> an equivalent to the Select Top command; for better or worse, the WMI Query Language (WQL) has only a small subset of the commands found in SQL. That doesn\u2019t mean we can\u2019t return only the last record written to an event log, it just means we have to be a bit sneaky about it.<\/P>\n
To get just the last record we need to do two things. To begin with, we need to figure out how many records are in an event log. That\u2019s important information, because events are numbered sequentially when they are added to an event log; in other words, the first event written to an event log is record 1, the second is record 2, etc. If there are 4,912 events in an event log, then the very last record written to the log has to be record number 4912. After we know the total number of records, we can then write a query that returns only events with a record number equal to the total number of records. That record is the last record written to the log.<\/P>\n
Here\u2019s a simple little script that determines the total number of records in the Application event log, and stores that value in the variable intRecords:<\/P>
strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:” _\n & “{impersonationLevel=impersonate}!\\\\” & strComputer & “\\root\\cimv2”)<\/p>\nSet objInstalledLogFiles = objWMIService.ExecQuery _\n (“Select * from Win32_NTEventLogFile Where LogFileName = ‘Application'”)<\/p>\n
For Each objLogfile in objInstalledLogFiles\n intRecords = objLogFile.NumberOfRecords\nNext\n<\/PRE>\n
Now we need a query that returns all events from the Application event log where the RecordNumber is equal to value of intRecords (and there will only be one such record, seeing as how record numbers are unique). Here\u2019s a query that does just that:<\/P>
Set colLoggedEvents = objWMIService.ExecQuery _\n (“Select * From Win32_NTLogEvent Where Logfile = ‘Application’ AND ” & _\n “RecordNumber = ” & intRecords)\n<\/PRE>\nAll that\u2019s left now is to put these two script snippets together, and then add a For Each loop in which we echo the properties of this record:<\/P>
strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:” _\n & “{impersonationLevel=impersonate}!\\\\” & strComputer & “\\root\\cimv2”)<\/p>\nSet objInstalledLogFiles = objWMIService.ExecQuery _\n (“Select * from Win32_NTEventLogFile Where LogFileName = ‘Application'”)<\/p>\n
For Each objLogfile in objInstalledLogFiles\n intRecords = objLogFile.NumberOfRecords\nNext<\/p>\n
Set colLoggedEvents = objWMIService.ExecQuery _\n (“Select * From Win32_NTLogEvent Where Logfile = ‘Application’ AND ” & _\n “RecordNumber = ” & intRecords)<\/p>\n
For Each objEvent in colLoggedEvents\n Wscript.Echo “Category: ” & objEvent.Category\n Wscript.Echo “Computer Name: ” & objEvent.ComputerName\n Wscript.Echo “Event Code: ” & objEvent.EventCode\n Wscript.Echo “Message: ” & objEvent.Message\n Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n Wscript.Echo “Source Name: ” & objEvent.SourceName\n Wscript.Echo “Time Written: ” & objEvent.TimeWritten\n Wscript.Echo “Event Type: ” & objEvent.Type\n Wscript.Echo “User: ” & objEvent.User\nNext\n<\/PRE>\n
That should do the trick. <\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I read only the last record written to an event log? In other words, what is the WMI equivalent to the SQL statement Select Top 1?— KM Hey, KM. Well, as it turns out WMI doesn\u2019t have an equivalent to the Select Top command; for better or worse, the WMI […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-70733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I read only the last record written to an event log? In other words, what is the WMI equivalent to the SQL statement Select Top 1?— KM Hey, KM. Well, as it turns out WMI doesn\u2019t have an equivalent to the Select Top command; for better or worse, the WMI […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70733"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70733\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
\n![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")