Although the PowerShell pipeline is a powerful feature, using it here is unnecessary and inefficient. This command first loads all<\/em> events from the System log into memory and only then filters them by type. A more efficient approach is to filter during retrieval:<\/p>\n This runs faster\u2014but there\u2019s a bigger issue. Microsoft now recommends using Get-WinEvent<\/strong>, which is documented here: At first glance, you might simply replace Get-EventLog with Get-WinEvent:<\/p>\n Or slightly better:<\/p>\n But this still requires reading the entire log first\u2014so you gain no performance benefits.<\/p>\n The real power of Get-WinEvent is that it allows event filtering before<\/em> reading the log. You can filter in two ways:<\/p>\n Using a Hashtable (the simplest approach)<\/strong><\/p>\n Using an XPath query<\/strong><\/p>\n I ran all variations against my local System log (\u224850,000 events), using Measure-Command.<\/p>\n Pipeline filtering (Get-EventLog + Where-Object)<\/strong><\/p>\n \u2248 8 seconds<\/strong><\/p>\n Filter parameter (Get-EventLog -EntryType)<\/strong><\/p>\n \u2248 6 seconds<\/strong> (about 25% faster)<\/p>\n Pipeline filtering with Get-WinEvent<\/strong><\/p>\n \u2248 13 seconds<\/strong> (even slower!)<\/p>\n FilterHashTable (the fastest)<\/strong><\/p>\n \u2248 566 ms<\/strong><\/p>\n XPath filter<\/strong><\/p>\n \u2248 600 ms<\/strong><\/p>\n For performance, always use Get-WinEvent with -FilterHashTable<\/strong>, -FilterXML<\/strong>, or -FilterXPath<\/strong>.<\/p>\n One important detail rarely mentioned in online resources: This is not a big issue in interactive sessions, but in scripts it produces noisy output. To avoid this, simply ignore the error:<\/p>\n Here\u2019s how we port the same query into our scripting engine:<\/p>\n To measure performance:<\/p>\n Result: \u2248 609 ms<\/strong> That\u2019s all for now. As the developers of Event Log Explorer<\/strong>, we strongly recommend using our software for tasks involving event log analysis. However, we fully recognize that PowerShell offers an exceptionally powerful scripting environment for managing Windows systems. When you choose to work with PowerShell, it\u2019s important to do so efficiently\u2014and using the right event filtering techniques can dramatically improve performance.<\/p>\n Windows PowerShell provides several methods to filter event logs. In this article, we compare their performance to find the fastest. We also compared PowerShell log filtering with our Event Log Explorer scripting. <\/p>\n","protected":false},"author":2,"featured_media":623,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[34,84,55,35],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/615"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=615"}],"version-history":[{"count":4,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/615\/revisions"}],"predecessor-version":[{"id":622,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/615\/revisions\/622"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/623"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}$elSysErr = Get-EventLog -LogName System -EntryType 'Error'<\/pre>\n
\nYou shouldn\u2019t use Get-EventLog at all<\/strong>:<\/p>\n\n
\nhttps:\/\/learn.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.diagnostics\/get-winevent<\/a><\/p>\nRewriting the Command with Get-WinEvent<\/h2>\n
$elSysErr = Get-WinEvent System | Where-Object LevelDisplayName -eq 'Error'<\/pre>\n
$elSysErr = Get-WinEvent System | Where-Object Level -eq 2<\/pre>\n
\n
$elSysErr = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2}<\/pre>\n$elSysErr = Get-WinEvent -LogName 'System' -FilterXPath '*[System[(Level=2)]]'<\/pre>\n
Performance Comparison<\/h2>\n
Measure-Command { Get-EventLog -LogName System | Where-Object EntryType -Eq 'Error' }<\/pre>\n![\"\"](\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/11\/Get-EventLog1.png\")
<\/a><\/p>\nMeasure-Command { Get-EventLog -LogName System -EntryType 'Error' }<\/pre>\nMeasure-Command { Get-WinEvent System | Where-Object Level -eq 2 }<\/pre>\n![\"\"](\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/11\/Get-WinEvent1.png\")
<\/a><\/p>\nMeasure-Command { Get-WinEvent -FilterHashTable @{LogName='System'; Level=2} }<\/pre>\nMeasure-Command { Get-WinEvent -LogName 'System' -FilterXPath '*[System[(Level=2)]]' }<\/pre>\nConclusion:<\/strong><\/h3>\n
Handling the \u201cNo events found\u201d error<\/h2>\n
\nIf no events match the filter, Get-WinEvent throws a non-terminating error.<\/p>\n$elSysErr = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2} -ErrorAction SilentlyContinue\r\nif ($elSysErr -eq $null) {\r\n \u00a0\u00a0 Write-Output \"no events match this filter\"\r\n} else {\r\n \u00a0 # work with the result set\r\n}<\/pre>\nHow This Looks in Event Log Explorer Script Engine<\/strong><\/h2>\n
theApp.OpenLogQuery('', 'System', '*[System[(Level = 2)]]', True);<\/pre>\nvar\r\n StartTime, FinishTime: DWORD;\r\nbegin\r\n StartTime := GetTickCount();\r\n theApp.OpenLogQuery('', 'System', '*[System[(Level = 2)]]', True);\r\n FinishTime := GetTickCount();\r\n DebugOut('Executed in ', FinishTime - StartTime, ' ms');\r\nend.<\/pre>\n![\"\"](\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2025\/11\/ElexOpenLogQuery.png\")
<\/a><\/p>\n
\nNot bad\u2014especially considering it not only retrieves the events, but also displays them.<\/p>\nClosing Thoughts<\/h2>\n
![\"Facebook\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/facebook.png\" "\\"Share")
<\/a>![\"twitter\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/twitter.png\" "\\"Share")
<\/a>![\"reddit\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/reddit.png\" "\\"Share")
<\/a>![\"pinterest\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/pinterest.png\" "\\"Pin")
<\/a>![\"linkedin\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/linkedin.png\" "\\"Share")
<\/a>![\"mail\"](\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/mail.png\" "\\"Share")
<\/a>","protected":false},"excerpt":{"rendered":"