Sigh…I really don’t like working with XML, mainly because every time I think I’ve figured it out, I apparently forget everything I thought I knew and can’t do anything until I Google all day then come to ask the BigFix forum for assistance.
Two problems:
- xpath doesn’t seem to be working for me at all.
- node value doesn’t seem to be working for me at all.
Here’s the setup (I’ve loaded the XML from a particular Windows Event log entry into a file for ease of testing):
Q: (xml document of file "c:\event.xml") as xml
A: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}"/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime="2019-05-17T16:56:29.908625800Z"/><EventRecordID>1812437</EventRecordID><Correlation/><Execution ProcessID="3200" ThreadID="5764"/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>cdss-rds-01.win.duke.edu</Computer><Security UserID="S-1-5-20"/></System><UserData><EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS"><Param1>ak166-cdss</Param1><Param2>WIN</Param2><Param3>10.237.12.8</Param3></EventXML></UserData></Event>%0d%0a
Q: (node name of it) of (child node of (xml document of file "c:\event.xml"))
A: Event
T: 4.216 ms
I: singular string
Q: (node name of it) of (last child of child node of (xml document of file "c:\event.xml"))
A: UserData
T: 3.626 ms
I: singular string
Q: (node name of it) of (child node of last child of child node of (xml document of file "c:\event.xml"))
A: EventXML
T: 3.045 ms
I: singular string
Q: (node name of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
A: Param1
T: 2.510 ms
I: singular string
I’m trying to extract the value of “Param1”. Here’s what happens when I try to xpath to the node:
Q: node names of (xpaths "/Event/UserData/EventXML" of (xml document of file "c:\event.xml"))
T: 1.803 ms
I: plural string
There’s no “A:” Just…nothing. No error, but no answer.
After I child-node my way there, changing “node name” to “node value” gives me this:
Q: (node name of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
A: Param1
T: 0.766 ms
I: singular string
Q: (node value of it) of (first child of child node of last child of child node of (xml document of file "c:\event.xml"))
E: The expression could not be evaluated: Windows Error 0x80020005: Type mismatch.
I know I can “cheat” with preceding/following texts…
Q: preceding text of first "</Param1>" of (following text of first "<Param1>" of ((xml document of file "c:\event.xml") as xml))
A: ak166-cdss
T: 4.158 ms
I: singular substring
…but I’d really rather do this the “right” way. Anyone have any ideas?