Here's an example of my working wmi query:
@(gwmi -query "select * from win32_ntlogevent where eventtype=1 and timegenerated > '12/1/2017'").count
It appears that I can only use the query section, but that doesn't appear to have a count function. Also I would like the date to be a variable for today eventually if that is possible as well.
Thanks!
True, the Custom Counter alarms of Windows connection currently only accept WQL commands and these Select statements are limited with no Count or Today functions. A few pointers to keep in mind:
1) Custom Counter alarm configuration is scheduled to be enhanced in future release of Spotlight in order to accept PS
2) Spotlight provides the Event Logs drilldown that shows recent event log items and that can be filtered by errors
In the meantime, you can configure a Custom Counter alarm by using the Select statement from win32_ntlogevent based on a single numeric value i.e. recordnumber:
select recordnumber from win32_ntlogevent where eventtype=1
Then configure this alarm to have High level threshold value of ‘1’, meaning as long as query doesn’t return null, alarm is raised. 
Next, configure the Scheduling collection of Custom Counter alarm to be on a daily basis so data is collected only once a day. 
Once alarm is raised you can review view event log errors for that day using Event Logs drilldown. I can provide screen captures of the above configuration if needed.
Hope that helps.
Gita
Spotlight Support Team
