Having used evtx_dump.py to convert .evtx files to .xml i seek to learn how to query it using XQuery or whatever helps me datamine the document using BaseX.
At this point whatever i try i can only query the whole document using //Events
When i define a path such as //Events/Event/System/[EventID = '4688'] i get 0 results.
This first query is to simply track all specific EventID matching a specific value.
Being new to BaseX and XQuery i found the documentation hard to apply to this use case.
I looked for tools to help me build an XQuery to no avail.
BaseX has all index features enabled i could find.
Br,
Joris
When XQuery fails to return data you are expecting it is often caused by the presence XML namespaces.
The Microsoft XML event log uses a XML namespace on Event nodes and it is inherited by their children. This is the xmlns='http://schemas.microsoft.com/win/2004/08/events/event' you can see in the files. E.g
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System><Provider Name='SideBySide'/><EventID Qualifiers='49409'>59</EventID><Version>0</Version>
...
Your XQuery must adjust for that. Either by saying any namespace is ok (using *:)
//*:System/[*:EventID = '4688']
or by explicitly specifing the expected namespaces.
declare namespace ns="http://schemas.microsoft.com/win/2004/08/events/event";
/Events/ns:Event/ns:System[ns:EventID= '4688' ]
See this similar issue xquery-not-working-with-namespaces
Related
I want to include a line (simple text) in ForXMLPath query as
<Cat>
but I am having difficulties.
When I try it brings in weird characters with it.
Please help.
Thanks.
select
'<Cat>'
I expect this
<Cat>
but it displays below
<Cat>
I must admit, that your question is not clear...
XML is not just some text with fancy extras, but a very strictly organised text based container for data.
A simple SELECT '<Cat>' would never return as <Cat> without a FOR XML somewhere in your query. So please show us a (reduced!) example of your full query and the expected output, best provided as MCVE (a stand-alone sample with DDL, sample data, own attempt and expected output).
Just some general remarks:
If you want to place <Cat> within your XML the whole output will be broken XML. This opening tag demands for a closing </Cat> (or - alternatively - a self-closing <Cat />)
Assumably you try to add out-written tags to your XML as you'd do it in XSLT, JS, ASP.Net or any other XML/HTML producing approach.
Assumably your solution will be a FOR XML PATH() approach without the need of an out-written tag within your XML.
Just to give you an idea:
SELECT 'test' AS [SomeElement] FOR XML PATH('SomeRowTag'),ROOT('SomeRootTag');
prouces this XML
<SomeRootTag>
<SomeRowTag>
<SomeElement>test</SomeElement>
</SomeRowTag>
</SomeRootTag>
If you want to add a <Cat> element you could use an XPath like here
SELECT 'test' AS [Cat/SomeElement] --<-- You can add nest-levels here!
FOR XML PATH('SomeRowTag'),ROOT('SomeRootTag');
The result
<SomeRootTag>
<SomeRowTag>
<Cat>
<SomeElement>test</SomeElement>
</Cat>
</SomeRowTag>
</SomeRootTag>
I want to be able to produce the following namesspaces and types for an XML root element
<BaseTransactionRequest xmlns="http://schemas.datacontract.org/2004/07/SomeCompany" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:type="AType">
Typically the first 2 (that is, not including i:type="AType") can be produced without issue (with some tradeoffs, when using custom namespaces we cant represent nulls using the xmlns:ni namespace etc)
So, the latter type is problematic. For a referesher,
the WITH XMLNAMESPACES fearure is used like below (FOR XML part omitted):
;WITH XMLNAMESPACES ('http://www.w3.org/2001/XMLSchema-instance' as i, DEFAULT 'http://schemas.datacontract.org/2004/07/SomeCompany',
A solution to overcome was to write XML "literally" using string concatenation. But I believe and hope FOR XML and this can be used together.
EDIT: First cut was added in a real rush. Apologies.
EDIT2: Dyslexic fix
Your question is not very clear... You might have a misconception about your i:type="AType". This is not a namespace (whatever a custom namespace is), but a normal attribute, named type living in your namespace i, which is declared at xmlns:i="blah".
Try this
WITH XMLNAMESPACES ('http://www.w3.org/2001/XMLSchema-instance' as i
,DEFAULT 'http://schemas.datacontract.org/2004/07/SomeCompany')
SELECT 'AType' AS [#i:type]
FOR XML PATH('BaseTransactionRequest');
The result is a self closing tag, declaring two namespaces and containing your attribute:
<BaseTransactionRequest xmlns="http://schemas.datacontract.org/2004/07/SomeCompany"
xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
i:type="AType" />
Can we call an external file (xml, Excel or text file) from XSL?
How do I call SQL Server stored procedures through XSL?
All I am trying to figure out is a way to do mappings from source XML to target XML (let's say if the value of mode vehicle is X in the source, I need to translate it to Y in translate XML based on the mapping stored either in an external file or through a SQL Server stored procedure).
XSLT 1 has the document function (https://www.w3.org/TR/xslt-10/#document) to pull in additional XML documents. Beyond that in XSLT 1 you need to look at extension scripts or elements to deal with other sources, such ways depend on the XSLT processor and/or the programming language or platform (e.g. Java or .NET) it is implemented in.
XSLT 2 in addition to the document function has the doc function for dealing with XML input, it has the unparsed-text function (https://www.w3.org/TR/xslt20/#function-unparsed-text) for text formats and collection (https://www.w3.org/TR/xquery-operators/#func-collection) for input collections. As for SQL, as Saxon 9 on Java is probably the XSLT 2 processor used most, it has in its commercial editions an SQL extension http://saxonica.com/html/documentation/sql-extension/.
XSLT 3 adds support for JSON with functions like parse-json (https://www.w3.org/TR/xpath-functions/#func-parse-json) or json-doc (https://www.w3.org/TR/xpath-functions/#func-json-doc) or json-to-xml (https://www.w3.org/TR/xpath-functions/#func-json-to-xml).
In general I wonder why you need XSLT plus a custom mapping format as in my view template based XSLT in the form
<xsl:template match="foo">
<bar>
<xsl:apply-templates/>
</bar>
</xsl:template>
is the way to declare and implement the mapping. However, if you have a custom mapping, then in all versions of XSLT you can use it create XSLT with XSLT and then run the created XSLT to execute the mapping.
I'm using WSO2 DSS and I'm interested in how to expose a single row/column result of a query as a string, and not as an array entry.
So for example if I have query: Select 'test' as t From dual;
It will return only one row with one column, so I don't want the result to be enclosed in like below
<Entry>
<t>test</t>
</Entry>
instead I would like to have just
<t>test</t>
as a response.
Is such a thing possible with dss? what type of output mapping needs to be used in such a case?
In DSS you can add XSLT to extract the test from your response.
There is an field called XSLT Path in Result (output mapping) section. You can give the configuration registry path or governance registry path for that xslt to do that.
I need to extract url from XML response. Here is the XML response:
<cloud xmlns:xlink="http://www.w3.org/1999/xlink">
<rootContainer xlink:href="https://api.example.net/v2/bucket/92FBC29C-344C-99CF-827E-1B5586A7F8E3"
xlink:type="simple"/>
</cloud>
I'm using C to write regex. Need help.
my output needs to be https://api.example.net/v2/bucket/92FBC29C-344C-99CF-827E-1B5586A7F8E3
You shouldn't. If you have the option, you should use an XML processor for any number or reasons.
But if you must, you can do something like "rootContainer.xlink:href=\"([^\"]+)\" Syntax may vary depending on what regex library you're using - there isn't a single "regex" syntax.