{"id":72591,"date":"2015-10-22T00:01:00","date_gmt":"2015-10-22T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/10\/22\/check-performance-of-event-log-queries\/"},"modified":"2019-02-18T09:34:49","modified_gmt":"2019-02-18T16:34:49","slug":"check-performance-of-event-log-queries","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/check-performance-of-event-log-queries\/","title":{"rendered":"Check Performance of Event Log Queries"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Ed Wilson, Microsoft Scripting Guy, talks about checking the performance of various event log queries.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. One of the great things about Windows PowerShell is that I can use Windows PowerShell to see how it is doing and how to optimize it. Sometimes the difference between one query and another query can be remarkable.<\/p>\n<p>So how can I do performance monitoring for a command? I use the <b>Measure-Command<\/b> cmdlet. Here is an example of such a command:<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-EventLog -LogName application}<\/p>\n<p>This command uses the <b>Get-EventLog<\/b> cmdlet to read the entire contents of the application log. The output from the command is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-01.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-01.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>If I want to compare this with the <b>Get-WinEvent<\/b> log command, I use a filter hash table that selects all entries from the application log:<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-WinEvent @{logname=&#039;application&#039;}}<\/p>\n<p>The output from this command is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-02.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-02.png\" alt=\"Image of command output\" title=\"Image of command output\" width=\"550\" height=\"264\" \/><\/a><\/p>\n<p>The first command takes less than a second, and the second command takes nearly 20 seconds. Dude, that is significant.<\/p>\n<p>What if I filter on event types? I only want errors. Here is the first command:<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-EventLog -LogName application -EntryType error}<\/p>\n<p>The output is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-03.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-03.png\" alt=\"Image of command output\" title=\"Image of command output\" width=\"550\" height=\"264\" \/><\/a><\/p>\n<p>It is a little bit faster than the original command, but basically they are the same&mdash;less than a second difference.<\/p>\n<p>Here is the same command for the <b>Get-WinEvent<\/b> cmdlet:<\/p>\n<p style=\"margin-left:30px\">Measure-Command{Get-WinEvent @{logname=&#039;application&#039;;level=2 }}<\/p>\n<p>The output is shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2047.hsg-10-22-15-04.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2047.hsg-10-22-15-04.png\" alt=\"Image of command output\" title=\"Image of command output\" width=\"550\" height=\"264\" \/><\/a><\/p>\n<p>Interestingly enough, although the &ldquo;get everything from the application log&rdquo; command of <b>Get-WinEvent<\/b> was really slow, it speeds up considerably when also filtering for the entry type. In fact, it came out a little faster than the <b>Get-EventLog<\/b> command.<\/p>\n<p>What about when filtering with the event ID in addition to the event level? Well, here is the command for <b>Get-EventLog<\/b>:<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-EventLog -LogName application -EntryType error -InstanceId 490}<\/p>\n<p>The output tells me that basically it does not make much difference for the <b>Get-EventLog<\/b> cmdlet. 827 milliseconds or 767 milliseconds are essentially the same.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-05.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-05.png\" alt=\"Image of command output\" title=\"Image of command output\" width=\"550\" height=\"264\" \/><\/a><\/p>\n<p>What about adding the event log event ID to the <b>Get-WinEvent<\/b> cmdlet?<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-EventLog -LogName application -EntryType error -InstanceId 490}<\/p>\n<p>Here is the output:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-06.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-06.png\" alt=\"Image of command output\" title=\"Image of command output\" width=\"550\" height=\"264\" \/><\/a><\/p>\n<p>By adding an event ID to the query, we again speed it up a lot. 61 milliseconds as opposed to 709 milliseconds.<\/p>\n<p style=\"margin-left:30px\"><b>Note<\/b>&nbsp; Subsecond comparisons for <b>Measure-Command<\/b> are not really very accurate, and therefore, they should be taken with a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Grain_of_salt\">grain of salt<\/a>. The key is that it again appears to be faster.<\/p>\n<p>If I add a date to the filter with <b>Get-EventLog<\/b>, it does not appear to make much difference:<\/p>\n<p style=\"margin-left:30px\">Measure-Command -Expression {Get-EventLog -LogName application -EntryType error -InstanceId 490 -After 10\/1\/2015}<\/p>\n<p>Adding the start time to the <b>Get-WinEvent<\/b> query also does not make much difference:<\/p>\n<p style=\"margin-left:30px\">Measure-Command{Get-WinEvent @{logname=&#039;application&#039;;level=2;id=490;Starttime=&#039;10\/1\/2015&#039;}}<\/p>\n<p>The two commands and their associated output are shown here:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-07.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-22-15-07.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>That is all there is to using <b>Measure-Command<\/b> to check the performance of different queries. Join me tomorrow when I will begin a video recap of event log querying.<span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about checking the performance of various event log queries. Microsoft Scripting Guy, Ed Wilson, is here. One of the great things about Windows PowerShell is that I can use Windows PowerShell to see how it is doing and how to optimize it. Sometimes the difference between one query [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[632,98,3,45],"class_list":["post-72591","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events","tag-logs-and-monitoring","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Ed Wilson, Microsoft Scripting Guy, talks about checking the performance of various event log queries. Microsoft Scripting Guy, Ed Wilson, is here. One of the great things about Windows PowerShell is that I can use Windows PowerShell to see how it is doing and how to optimize it. Sometimes the difference between one query [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=72591"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72591\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=72591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=72591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=72591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}