Query windows event log for the past two weeks
I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.
I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.
I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.
Here is the modified command I ran:
wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text
I had to replace the < and > with the actual symbols as I got a syntax error otherwise. This command produces empty output.
Answer
The problem is due to /q: being inside quotes. It should be outside, like:
wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text
This works just fine for me.