Understanding The PowerShell Help System: Get-Help

CMDLET Name : Get-Help

What it does: Displays information about how to use a particular cmdlet or function.

Most people when they start out with PowerShell are not aware of the extensive help that PowerShell ships with and as such may perceive PowerShell to be a difficult language. In reality the truth couldn’t be any farther from this. Personally I have found PowerShell to be one of the easiest of languages to learn. Granted there is a learning curve, especially for people coming from a programming background C-Sharp etc..may find concepts like the Pipeline a little strange but if you give yourself a month’s time I guarantee you will be writing PowerShell scripts in no time.

Here is the basic usage:

Get-Help    CmdletName  –Parameters

 

There are 5 main parameters that you might want to use with Get-Help:
    -Full – Display the complete help written for the cmdlet.
    -Detailed – Adds parameter descriptions and examples to the basic help display.
    -Examples – Displays sample usage scenarios for a cmdlet. ( Beginners will love this Smile)
    -Online – Displays the online version of a help topic in the default Internet browser.
    -ShowWindow – Displays help in a window(a.k.a GUI) for easier reading. The window includes a  “Find” search feature and a “Settings” box that lets you set options for the display, including options to display only selected sections of a help topic. ( Needs PowerShell V3)

 

By default when you run Get-Help you get help without parameter descriptions or examples. 

lets get help for a cmdlet: Get-EventLog

PS C:\> Get-Help Get-EventLog -Examples

 

NAME

    Get-EventLog

   

SYNOPSIS

    Gets the events in an event log, or a list of the event logs, on the local or remote computers.

   

    ————————– EXAMPLE 1 ————————–

   

    PS C:\>get-eventlog -list

   

   

    This command gets the event logs on the computer.

    ————————– EXAMPLE 2 ————————–

   

    PS C:\>get-eventlog -newest 5 -logname application

   

   

    This command gets the five most recent entries from the Application event log.

    ————————– EXAMPLE 3 ————————–

   

    PS C:\>$events = get-eventlog -logname system -newest 1000

    PS C:\>$events | group-object -property source -noelement | sort-object -property count –descending

 

There were 11 different examples, I am just showing the first 3.

 

Using the –ShowWindow  help parameter.

ShowWindow

 

The full, detailed and online parameters are pretty self explanatory so I wont demo them. You can run Get-Help with each parameter and see for yourself:

 

 

lets run Get-Help without any parameters:

PS C:\> Get-Help Get-EventLog

 

NAME

    Get-EventLog

   

SYNOPSIS

    Gets the events in an event log, or a list of the event logs, on the local or remote computers.

   

   

SYNTAX

    Get-EventLog [-LogName] <String> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <String[]>] [-EntryType <String[]>] [-Index <Int32[]>] [-Message <String>] [-Newest <Int32>]

    [-Source <String[]>] [-UserName <String[]>] [<CommonParameters>]

   

    Get-EventLog [-AsString] [-ComputerName <String[]>] [-List] [<CommonParameters>]

   

   

DESCRIPTION

    The Get-EventLog cmdlet gets events and event logs on the local and remote computers.

 

 

For a beginner the syntax section wont make much sense so lets unravel the meaning behind the maze of those square brackets.

If you notice Get-EventLog appears twice under the syntax section, each separated by a blank line.

This basically means there are two different ways of using the Get-EventLog cmdlet, each independent of the other. The technical term for this is ParameterSets.

 

Note: Get-Service has 3 and Get-Process has 6 ParameterSets.

 

Lets take a look at Parameterset – 1

 

Most parameters in PowerShell follow this pattern:

-ParameterName  <ParameterValue>

I said most because there are some parameters for example parameters 12 & 13 that do not need a value to be specified. These are known as Switch parameters.

 

ParameterTable 1.0 :      List of various parameters for Get-EventLog

No.

 

ParameterName/Value

Type

Meaning

Parameter1

[-LogName] <String>

Mandatory ParameterName is optional but ParameterValue is mandatory

Parameter2

[[-InstanceId] <Int64[]>]

Optional ParameterName is optional(enclosed in square brackets) but ParameterValue is mandatory. [] – Means an Array so ParameterValue can be multiple items(comma separated list)

Parameter3

[-After <DateTime>]

Optional Both ParameterName and ParameterValue are Mandatory.

Parameter4

[-Before <DateTime>]

Optional Both ParameterName and ParameterValue are Mandatory.

Parameter5

[-ComputerName <String[]>]

Optional Both ParameterName and ParameterValue are Mandatory. Value is an array.

Parameter6

[-EntryType <String[]>]

Optional Both ParameterName and ParameterValue are Mandatory. Value is a string array.

Parameter7

[-Index <Int32[]>]

Optional Both ParameterName and ParameterValue are Mandatory. Value is an integer array.

Parameter8

[-Message <String>]

Optional Both ParameterName and ParameterValue are Mandatory.

Parameter9

[-UserName <String[]>]

Optional Both ParameterName and ParameterValue are Mandatory. Value is a string array.

Parameter10

[-Newest <Int32>]

Optional Both ParameterName and ParameterValue are Mandatory.

Parameter11

[-Source <String[]>]

Optional Both ParameterName and ParameterValue are Mandatory. Value is a string array.

Parameter12

[-AsBaseObject]

Optional Known as a switch parameter. These parameters do not require a value to be specified.

Parameter13

 [<CommonParameters>]

Optional Known as a switch parameter. These parameters do not require a value to be specified.

 

Out of the 13 parameters above just one parameter is mandatory which means in order to run the

Get-EventLog cmdlet we need to specify at least one parameter which is Parameter1LogName

what happens if I run Get-EventLog without specifying the mandatory parameter?

PS C:\> Get-EventLog

cmdlet Get-EventLog at command pipeline position 1

Supply values for the following parameters:

LogName: 

 

Yeah so it didn’t run instead it is prompts me to specify a value for the LogName parameter. So lets specify System and hit enter.

PS C:\> Get-EventLog

cmdlet Get-EventLog at command pipeline position 1

Supply values for the following parameters:

LogName: System

 

Index Time  EntryType Source  InstanceID Message                                                                                                                                          

—– —-          ———   ——                 ———- ——-                                                                                                                                                       

9462 Apr 16 22:59  Information Service Control M…   1073748869 A service was installed                                                                                           9461 Apr 16 22:59  Information Microsoft-Windows…            1 The description for Event ID ‘1’ in Source ‘Microsoft-Windows-Kernel-General’ cannot be found.

 

The above is a list of all entries from the System log on my computer. Since more than a 100 entries were returned I have had to truncate the output.

This time we wont be prompted for a value.

ParameterName = LogName and ParameterValue = Application

PS C:\> Get-EventLog -LogName Application

 

   Index Time          EntryType   Source                 InstanceID Message                                                                                                                                                           

   —– —-          ———   ——                 ———- ——-                                                                                                                                                           

   13333 Apr 17 01:27  Information Customer Experien…   1073742831 The

 

Looking at our ParameterTable 1.0 above we know that for parameter1 the ParameterName is optional whereas the ParameterValue is mandatory. So we can re-type the above command like so:

PS C:\> Get-EventLog  Application

 

   Index Time          EntryType   Source                 InstanceID Message                                                                                                                                                           

   —– —-          ———   ——                 ———- ——-                                                                                                                                                           

   13333 Apr 17 01:27  Information Customer Experien…   1073742831 The

 

Same output as before but we didn’t have to specify the parametername.

Lets look at Parameter2 –> InstanceID

Looking at our ParameterTable 1.0 we know that Parameter2 itself is optional but if specified the ParameterName is optional but ParameterValue is mandatory.

Example:

Get all System event log entries with an InstanceID = 2147483983

image

since the ParameterName InstanceID is optional we can get the same result as above by specifying just the value for InstanceID:

image

Also notice that the ParameterValue can take an array of integers not just integers but Longintegers ( Int64). So we can specify multiple values of InstanceID like so:

image

 

Lets use 2 parameters this time, parameter5ComputerName & parameter10Newest.

The command below gets the latest 5 entries from the system log on servers KKS-DC1 & KKS-DC2.

PS C:\> Get-EventLog System -ComputerName KKS-DC1,KKS-DC2 -Newest 5 | select Machinename,TimeGenerated,EntryType,Message

 

MachineName                TimeGenerated                               EntryType Message                 

———–                ————-                               ——— ——-                 

KKS-DC1                    4/14/2014 12:00:00 PM                     Information The system uptime is 1…

KKS-DC1                    4/13/2014 12:00:00 PM                     Information The system uptime is 9…

KKS-DC1                    4/13/2014 9:25:47 AM                          Warning The time service has n…

KKS-DC1                    4/12/2014 12:00:00 PM                     Information The system uptime is 9…

KKS-DC1                    4/12/2014 9:32:04 AM                      Information The Network Location A…

KKS-DC2            4/14/2014 12:00:00 PM                     Information The system uptime is 1…

KKS-DC2            4/14/2014 11:25:52 AM                         Warning The Key Distribution C…

KKS-DC2            4/14/2014 1:25:52 AM                          Warning The Key Distribution C…

KKS-DC2            4/13/2014 3:25:52 PM                          Warning The Key Distribution C…

KKS-DC2            4/13/2014 12:00:00 PM                     Information The system uptime is 9…

 

Note: we cannot omit –ComputerName or –Newest because the ParameterName for both these 2 parameters is mandatory.

 

If you are interested in learning about Parameter13 namely –CommonParameters you can run this:

If you run Get-Help with the –Full parameter you can get detailed information about each parameter which will tell you whether a parameter is mandatory or not.

     -Before <DateTime>

        Gets only the events that occur before the specified date and time. Enter a DateTime  object, such as

        the one returned by the Get-Date cmdlet.

       

        Required?                    false

        Position?                    named

        Default value               

        Accept pipeline input?       false

        Accept wildcard characters?  false

       

    -ComputerName <String[]>

        Specifies a remote computer. The default is the local computer.

       

        Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote

        computer. To specify the local computer, type the computer name, a dot (.), or “localhost”.

       

        This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of

        Get-EventLog even if your computer is not configured to run remote commands.

       

        Required?                    false

        Position?                    named

        Default value                Local computer

        Accept pipeline input?       false

        Accept wildcard characters?  false

 

Moving on to ParameterSet –2

Right of the bat we can tell that all parameters in this ParameterSet are optional with –AsString and –List as Switch parameters

Example:

The command below provides a summary of all the eventlogs from the remote computer KKS-DC1.

image

 

Note: The Get-Eventlog cmdlet does not contain a –Credential parameter so you cannot specify alternate credentials for accessing logs on a remote machine that is in a workgroup.

Leave a Comment Yourself

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">