0

I'm trying to add two different WMI events to an SCCM server with a PowerShell script that someone else wrote. I have to make the two event queries into one query and I'm not sure how best to do it. I've tried it a bunch of different ways so far. Here's the code:

Function WMI-InstanceFilter
{
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

$PropertyHash = @{
    QueryLanguage = "WQL";
    Query = "";
    Name = "Name";
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop

Here's the two event queries I need to somehow combine and put into the query line:

SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"

SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"

What would be the best way to do this?

Improve this question
1
  • 1
    You can combine the name queries like this: TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'. However, I don't think you can combine the timings, so you will need to choose a single duration for the WITHIN clause as it is now a single query. Commented Aug 24, 2018 at 15:31

1 Answer 1

Reset to default
1

You're dealing with WQL in your queries and you can only have a single WITHIN value - see https://learn.microsoft.com/en-gb/windows/desktop/WmiSdk/within-clause so you'll either have to pick 300 (seconds = 5 minutes) or 900 (seconds = 15 minutes) or a compromise value somewhere between them.

Your combined SELECT statement would look like this

SELECT * FROM __InstanceOperationEvent WITHIN 900 WHERE TargetInstance ISA 'SMS_Package' AND TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'

Change the WITHIN value to what you think best for your needs.

Do you need both drive & bios at the same time or could you use a parameter driven switch statement to swap between them?

Something like this

Function WMI-InstanceFilter {
[CmdletBinding()]
param (
  [ValidateSet('Bios', 'Drivers' )]
  [string]$InstanceType
)

# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

switch ($InstanceType) {
 'Bios' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
        }
  'Drivers' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
        }
}

$PropertyHash = @{
    QueryLanguage = "WQL"
    Query = $query
    Name = "Name"
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

No, Don't have to do them at the same time, just wasn't sure of any way else to do it. What would a parameter driven switch statement look like? Let me know and I'll accept your answer either way.
I've added a possible function to the answer
Trying running what you wrote but it didn't work and the log file said "Variable ErrorMessage set to System.ArgumentException: Could not infer CimType from the provided .NET object."
Do the queries run outside of the function ie can you manually create the CIMinstance?
Nope. "New-CimInstance : Could not infer CimType from the provided .NET object."

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.