Converting between XML systemtime and number of hours or days with Powershell

May 14 2020

I recently used an XML query in Powershell that looked like this:

[cc lang="xml" escaped="true"]$xmlQuery = @'
&lt;QueryList&gt;
&lt;Query Id="0" Path="Security"&gt;
&lt;Select Path="Security"&gt;
*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 86400000]] and EventData[Data[@Name='IPAddress'] and (Data='192.168.11.7')]]
&lt;/Select&gt;
&lt;/Query&gt;
/QueryList&gt;
'@ 
[/cc]

[cc lang="xml" escaped="true"]$xmlQuery = @'

*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='IPAddress'] and (Data='192.168.11.7')]]

</Select>

</Query>

/QueryList>

[/cc]

The query was used to filter events from the event log that occurred within the last 24 hours. However I needed to change this 7 days. The unit of time is milliseconds but I wanted to make sure I had it exactly correct, so I checked it using the following commands:

[cc lang="powershell" escaped="false"]$Start=[datetime]"01/01/2020 00:00"
$End=[datetime]"01/02/2020 00:00"
New-Timespan -Start $Start -End $End[/cc]

[cc lang="powershell" escaped="false"]$Start=[datetime]"01/01/2020 00:00"

$End=[datetime]"01/02/2020 00:00"

New-Timespan -Start $Start -End $End[/cc]

This was my first command to check that I was using the right units of time. This command returned:

[cc lang="powershell" escaped="false"]Days              : 1
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 0
Ticks             : 864000000000
TotalDays         : 1
TotalHours        : 24
TotalMinutes      : 1440
TotalSeconds      : 86400
TotalMilliseconds : 86400000[/cc]

[cc lang="powershell" escaped="false"]Days : 1

Hours : 0

Minutes : 0

Seconds : 0

Milliseconds : 0

Ticks : 864000000000

TotalDays : 1

TotalHours : 24

TotalMinutes : 1440

TotalSeconds : 86400

TotalMilliseconds : 86400000[/cc]

So I could confirm that milliseconds was the right unit of time – and you can see that 86400000 matches the 24 hour time difference I use in my XML query above. So I wanted to confirm what 7 days would be:

[cc lang="powershell" escaped="false"]$End=[datetime]"01/08/2020 00:00"
New-Timespan -Start $Start -End $End

Days              : 7
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 0
Ticks             : 6048000000000
TotalDays         : 7
TotalHours        : 168
TotalMinutes      : 10080
TotalSeconds      : 604800
TotalMilliseconds : 604800000[/cc]

[cc lang="powershell" escaped="false"]$End=[datetime]"01/08/2020 00:00"

New-Timespan -Start $Start -End $End

Days : 7

Hours : 0

Minutes : 0

Seconds : 0

Milliseconds : 0

Ticks : 6048000000000

TotalDays : 7

TotalHours : 168

TotalMinutes : 10080

TotalSeconds : 604800

TotalMilliseconds : 604800000[/cc]

So I could see that the number I needed to use in my query for a time difference of 7 days was 604800000. So my new XML query would be:

[cc lang="xml" escaped="true"]$xmlQuery = @'
&lt;QueryList>
&lt;Query Id="0" Path="Security">
&lt;Select Path="Security">
*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]] and EventData[Data[@Name='IPAddress'] and (Data='192.168.11.7')]]
&lt;/Select>
&lt;/Query>
&lt;/QueryList>
'@[/cc]

[cc lang="xml" escaped="true"]$xmlQuery = @'

*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) <= 604800000]] and EventData[Data[@Name='IPAddress'] and (Data='192.168.11.7')]]

</Select>

</Query>

</QueryList>

'@[/cc]

Posted inUncategorized

Converting between XML systemtime and number of hours or days with Powershell

Leave a Reply Cancel reply

Follow Us

Address

Contact

Company Information