All geek questions in one place

Select the first 10 events from wevtutil using xpath

I am currently working on a project that uses the Windows event log. I use wevtutilto get results from event logs. I know that it wevtutilsupports xpath requests, but since I'm new to xpath, I don't know what I can achieve what I'm trying to do.

In SQL, what I would do is something like this:

SELECT log.*, COUNT(1) numHits
FROM Application log
GROUP BY Source, Task, Level, Description
ORDER BY numHits DESC
LIMIT 10

Is it possible to do such a thing with xpath?

Edit: Here is an example of an Event:


<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>

  <System>
    <Provider Name='MSSQL$SQLEXPRESS' />
    <EventID Qualifiers='16384'>17403</EventID>
    <Level>4</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime='2010-10-20T20:06:18.000Z' />
    <EventRecordID>9448</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SHAZTOP</Computer>
    <Security />
  </System>
  <EventData>
    <Data>73094</Data>
    <Binary>
    FB4300000A000000130000005300480041005A0054004F0050005C00530051004C004500580050005200450053005300000000000000</Binary>
  </EventData>
</Event>
+3
source share
3 answers

XPath 1.0 has four data types: string, number, boolean, and node.

XPath ( ). , node, @Dimitre @Welbog, fn:position().

, XPath node . , XPath 1.0. , . :

//Event[not(System/Level = preceding::Level) or 
        not(System/Task = preceding::Task)]

XPath 2.0 . . , . :

for $event (//Event)[index-of(//Event/System/concat(Level,'++',Task),
                              System/concat(Level,'++',Task))[1]]
result //Event[System/Level = $event/System/Level]
              [System/Task = $event/System/Task]

XPath 2.0 ( ...), .

. XSLT (1.0 2.0), XQuery.

+1

SQL, , - :

SELECT log.*, COUNT(1) numHits 
FROM Application log 
GROUP BY Source, Task, Level, Description 
ORDER BY numHits DESC 
LIMIT 10

? xpath?

, $n , XPath, :

(ExpressionSelectingNodeSet)[not(position() > $n)]

$n

, , XPath, XSLT, <xsl:sort> XPath position() :

<xsl:stylesheet version="1.0"
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:output omit-xml-declaration="yes" indent="yes"/>

 <xsl:template match="/*">
  <nums>
   <xsl:for-each select="num">
    <xsl:sort data-type="number" order="descending"/>
     <xsl:if test="not(position() > 5)">
      <xsl:copy-of select="."/>
     </xsl:if>
   </xsl:for-each>
  </nums>
 </xsl:template>
</xsl:stylesheet>

XML-:

<nums>
  <num>01</num>
  <num>02</num>
  <num>03</num>
  <num>04</num>
  <num>05</num>
  <num>06</num>
  <num>07</num>
  <num>08</num>
  <num>09</num>
  <num>010</num>
</nums>

, 5 :

<nums>
    <num>010</num>
    <num>09</num>
    <num>08</num>
    <num>07</num>
    <num>06</num>
</nums>
+1

position(), :

/root/element[position()<=10]

For example, to select the first ten elements elementthat are children of the root.

If your structure is more complex, you can use the position element in different places. For example, if an element elementcan exist on more than one parent, but you want the first ten of them to be independent of the parent, you can do this as follows:

(/root/parent1/element | /root/parent2/element)[position()<=10]
0
source

Source: https://habr.com/ru/post/1770779/

More articles:


All Articles