How is everyone parsing these powershell transcriptions when a person leaves the shell open for multiple days?
In that case it shows the user who executed once, but there can be a hundred command starts spanning multiple days.
Is the consensus to capture this still as one event? Or do you have logic that breaks those into multiple events?
I have some transcripts files 30+MB in size.
Command start time: 20190522100828
PS>CommandInvocation(Get-ProvTask): "Get-ProvTask"
ParameterBinding(Get-ProvTask): name="AdminAddress"; value="google.com:80"
ParameterBinding(Get-ProvTask): name="MaxRecordCount"; value="2147483647"
Command start time: 20190522100830
PS>CommandInvocation(Get-BrokerCatalog): "Get-BrokerCatalog"
ParameterBinding(Get-BrokerCatalog): name="AdminAddress"; value="yahoo.com:80"
ParameterBinding(Get-BrokerCatalog): name="MaxRecordCount"; value="2147483647"
ParameterBinding(Get-BrokerCatalog): name="Property"; value="Uid, Name, MetadataMap, ProvisioningSchemeId, Scopes"
I believe we can potentially link all these events based on the fact that they generate from the same source file.
I could probably go back and look up the original user. It just seems to be a cumbersome process.
Converted from answer to a new question.