M365Corner
PowerShell

PowerShell Where-Object

PowerShell's Where-Object cmdlet is a powerful tool used for filtering objects based on their properties or expressions. This command is commonly used in scripts and on the command line to narrow down results from a larger set of data. Here's a detailed look at how to use Where-Object with some practical examples.


Basic Syntax

Here’s the basic syntax: Get-Something | Where-Object { Condition }
Here, Get-Something represents any cmdlet that outputs data, and Condition involves comparisons or checks against the properties of objects outputted by the previous cmdlet.


Example 1: Filtering Processes

Suppose you want to find all processes that are using more than 100 MB of memory. You can use the Where-Object cmdlet as follows:

In this example:

  • Get-Process lists all current processes.
  • Where-Object { $_.WS -gt 100MB } filters these processes to only those where the working set size (WS, which is the memory usage) is greater than 100 MB.

Example 2: Finding Files Modified Recently

To find all files in a directory modified in the last 7 days:

Here:

  • Get-ChildItem gets the files in the specified directory.
  • Where-Object filters these files to include only those modified in the last 7 days. The Get-Date cmdlet is used to get the current date and time, and AddDays(-7) subtracts 7 days from this date.


Example 3: Selecting Specific Services

If you need to find services that are currently stopped and their names contain "wp":

In this case:

  • Get-Service lists all services.
  • Where-Object filters for services that are stopped (Status -eq 'Stopped') and whose names contain "wp" (Name -like '*wp*').

Example 4: Filtering Appliction Event Log for Warnings

Suppose you are managing a network of computers and need to filter event logs to find specific error events that occurred during the night shift (between 10 PM and 6 AM) and had a severity level of "Error" or "Warning". Additionally, you only want logs from the last 7 days, then your script would be:

Here:

  • Get Event Logs: Get-EventLog -LogName Application -EntryType Error, Critical retrieves all application logs where the entry type is either "Error" or "Warning".
  • Script Block for Where-Object:
    • $_ represents each item (event log entry) passed from Get-EventLog.
    • TimeGenerated -gt (Get-Date).AddDays(-7) filters logs to include only those generated in the last 7 days.
    • TimeGenerated.TimeOfDay -gt [timespan]"22:00:00" checks if the log was generated after 10 PM.
    • TimeGenerated.TimeOfDay -lt [timespan]"06:00:00" checks if the log was generated before 6 AM.
    • $The -or operator between the time checks ensures that any logs generated between 10 PM and 6 AM are included, covering the night shift hours


Using Shorter Syntax

PowerShell also supports a shorter alias and syntax for Where-Object, using ? instead:

This does exactly the same as the longer Where-Object syntax but is quicker to type.


Download Example Scripts

You can download the script here: download-where-object-example-scripts.txt

Once you learn the PowerShell basics, you need to implement what you learnt. Practicing your Windows PowerShell skills by querying Microsoft 365 would be a good start, since Microsoft 365 administration is an in-demand skill. Learn how to use PowerShell Where-Object to Query Microsoft 365. If you don't have a Microsoft 365 account yet, read how to sign up for Microsoft 365.


Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex