Xpath and node value woes

Sigh…I really don’t like working with XML, mainly because every time I think I’ve figured it out, I apparently forget everything I thought I knew and can’t do anything until I Google all day then come to ask the BigFix forum for assistance. :slight_smile:

Two problems:

  1. xpath doesn’t seem to be working for me at all. :frowning:
  2. node value doesn’t seem to be working for me at all. :frowning:

Here’s the setup (I’ve loaded the XML from a particular Windows Event log entry into a file for ease of testing):

Q: (xml document of file "c:\event.xml") as xml
A: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}"/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime="2019-05-17T16:56:29.908625800Z"/><EventRecordID>1812437</EventRecordID><Correlation/><Execution ProcessID="3200" ThreadID="5764"/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>cdss-rds-01.win.duke.edu</Computer><Security UserID="S-1-5-20"/></System><UserData><EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS"><Param1>ak166-cdss</Param1><Param2>WIN</Param2><Param3>10.237.12.8</Param3></EventXML></UserData></Event>%0d%0a


Q: (node name of it) of (child node of (xml document of file "c:\event.xml"))
A: Event
T: 4.216 ms
I: singular string

Q: (node name of it) of (last child of child node of (xml document of file "c:\event.xml"))
A: UserData
T: 3.626 ms
I: singular string

Q: (node name of it) of (child node of last child of child node of (xml document of file "c:\event.xml"))
A: EventXML
T: 3.045 ms
I: singular string

Q: (node name of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
A: Param1
T: 2.510 ms
I: singular string

I’m trying to extract the value of “Param1”. Here’s what happens when I try to xpath to the node:

Q: node names of (xpaths "/Event/UserData/EventXML" of (xml document of file "c:\event.xml"))
T: 1.803 ms
I: plural string

There’s no “A:” Just…nothing. No error, but no answer.

After I child-node my way there, changing “node name” to “node value” gives me this:

Q: (node name of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
A: Param1
T: 0.766 ms
I: singular string

Q: (node value of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
E: The expression could not be evaluated: Windows Error 0x80020005: Type mismatch.

I know I can “cheat” with preceding/following texts…

Q: preceding text of first "</Param1>" of (following text of first "<Param1>" of ((xml document of file "c:\event.xml") as xml))
A: ak166-cdss
T: 4.158 ms
I: singular substring

…but I’d really rather do this the “right” way. Anyone have any ideas?

3 Likes

I don’t know why XPath isn’t working… maybe something to do with the encoding of the file? In any case, here it is using node inspectors:

q: node value of child nodes of child nodes whose (node name of it = "Param1") of child nodes of child nodes whose(node name of it = "UserData") of child nodes of xml document of file "c:\event.xml"
A: ak166-cdss
T: 1.017 ms
I: singular string
1 Like

In playing with this, it appears that XPATH hates the xmlns attribute in <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> and again in <EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">

After further play, This xpath seems to work for the first layer:

q: node names  of xpath "/*[local-name()='Event']" of xml document of file "event.xml" of parent folder of client
A: Event
1 Like

This works too, but it probably isn’t best practice to dive right down to Param1

q: node value of child nodes of xpaths "//*[local-name()='Param1']" of child nodes of xml document of file "C:\Users\alinder\Desktop\test.xml"
A: ak166-cdss
T: 0.546 ms
I: singular string
1 Like

Try:

q: node values  of xpath "/*[local-name()='Event']/*[local-name()='UserData']/*[local-name()='EventXML']/*[local-name()='Param1']/text()" of xml document of file "event.xml" of parent folder of client
A: ak166-cdss
1 Like

OK - many googles later, I think I found the “right way” to manage the namespace in our xpath inspector.

Blast from the past from MattBoyd:

https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014756750

Doc here:
https://developer.bigfix.com/relevance/reference/xml-dom-node.html#xpath-string-string-of-xml-dom-node-xml-dom-node

q: node values of xpath ("xmlns:a='http://schemas.microsoft.com/win/2004/08/events/event' xmlns:b='Event_NS'","/a:Event/a:UserData/b:EventXML/b:Param1/text()") of xml document of file "event.xml" of parent folder of client
A: ak166-cdss
4 Likes

FWIW, Notepad++ 's XML plugin hates the namespace entries as well.

And I’m not sure the original XML that @straffin posted is complete…when I export an eventlog entry, there is a top-level node <Events> of which <Event> and <UserData> are both child nodes. (notepad++ still hates it though).

How are you exporting the eventlog entry? The XML I posted above is what BigFix gives me when asking for the xml of the event.

Wow…that’s some ugly xpath goin’ on there, but it works! Many, many thanks to @alinder, @brolly33, and @JasonWalker for your assistance! :slight_smile:

1 Like

Oh, I see.
I opened Event Viewer and exported an entry with which to test.

IIRC, an XML document requires a single top-level node of which everything else is a child. I could be wrong, but it raised questions to me.

1 Like

Thanks for the additional info, @JasonWalker!