PowerShell Diversion #2: Charts, Tables and Events

  • Article

In an old post I discussed using the Microsoft Chart Controls to generate some professional looking charts from PowerShell.  These are great if you want to use the charts in a formal report or presentation, but what if all you want is a basic bar chart to help you quickly compare some values in a table?

For example, here is a table that compares the working set values for some processes:

Name              Working Set Chart         
----              ----------- -----         
svchost                133.19 XXXXXXXXXXXXXXXXXXXX
powershell_ise         112.82 XXXXXXXXXXXXXXXXX  
sqlservr                78.07 XXXXXXXXXXXX       
MsMpEng                 74.93 XXXXXXXXXXX        
svchost                 68.20 XXXXXXXXXX             
explorer                57.93 XXXXXXXXX          
svchost                 55.70 XXXXXXXX           
CcmExec                 41.02 XXXXXX             
dwm                     35.68 XXXXX              
SearchIndexer           30.46 XXXXX              
msitcertsvc             25.86 XXXX               
DcaTray                 25.77 XXXX               
svchost                 25.27 XXXX               
svchost                 23.95 XXXX 

The ‘chart’ is constructed in such a way that the number of Xs for each entry is relative to the maximum value for the target property.  So, here I have chosen a value of 20 Xs for the top svchost process which has a WS of 133.  This means, for example, that explorer with a WS of 58 will have 9 Xs:

20/9 ≈ 133/58

Thus, the general formula is:

Number of Xs = [(Maximum Xs) * (Current Property Value)] / (Maximum Property Value)

Obviously there is some slight discrepancy since we can’t show fractions of an X.  The choice of 20 as the maximum is arbitrary (though constrained by the display width) - you can try a different number to see what looks good, or, indeed use a character other than an X.

Your task is …

Generate a similar table for event log entries on the local system as follows:

  • Only consider ‘error’ and ‘warning’ events from the ‘System’ log
  • Group events by source
  • Create a table with these columns: event source, number of events, chart.  
  • Sort the table by ‘number of events’

This should provide a useful table showing the event source generating the greatest number of errors, but it could be enhanced to be even more useful, so once you have the technique, extend the table in these two ways:

  1. Scan multiple servers, aggregating the information in one table
  2. Add the ‘eventID’ to the list of properties, so that the table is sorted first by source, then event id, so you can be more granular about the ‘worst offender’.

If you’re in need of a hint, click here.