Correct filter query syntax
30 views
Skip to first unread message
Tdev Test
Dec 14, 2023, 10:20:46 AM12/14/23
to jna-...@googlegroups.com
I want to filter the Windows eventlog to get just entries older the a specific timestamp. I'm searching fo a adequate filter query to pass to EvtQuery(...). I tried:
//Event[System/TimeCreated/@SystemTime >= '2023-12-12T12:00:00.0Z']
this filters the the expected entries when I test it with e.g. https://www.freeformatter.com/xpath-tester.html, but it is not compatible with XPath1.0 for the EvtQuery(...) function. Next I copied the structured XML query example from
https://learn.microsoft.com/en-us/windows/win32/wes/consuming-events
but I get "ERROR_EVT_MALFORMED_XML_TEXT".
I simplified the query to
<QueryList>
<Query Id="0">
<Select Path="Application">
*[System[(Level <= 3)]]
</Select>
/Query>
</QueryList>
but still the same error.
Where can I find information for the correct filter syntax?
Kind regards Thomas
//Event[System/TimeCreated/@SystemTime >= '2023-12-12T12:00:00.0Z']
this filters the the expected entries when I test it with e.g. https://www.freeformatter.com/xpath-tester.html, but it is not compatible with XPath1.0 for the EvtQuery(...) function. Next I copied the structured XML query example from
https://learn.microsoft.com/en-us/windows/win32/wes/consuming-events
but I get "ERROR_EVT_MALFORMED_XML_TEXT".
I simplified the query to
<QueryList>
<Query Id="0">
<Select Path="Application">
*[System[(Level <= 3)]]
</Select>
/Query>
</QueryList>
but still the same error.
Where can I find information for the correct filter syntax?
Kind regards Thomas
Tres Finocchiaro
Dec 14, 2023, 12:12:09 PM12/14/23
to jna-...@googlegroups.com
Hi,
I would strongly recommend removing JNA from the example and using PowerShell for constructing your query: https://github.com/MicrosoftDocs/PowerShell-Docs/blob/main/reference/5.1/Microsoft.PowerShell.Diagnostics/Get-WinEvent.md#example-16-filter-event-log-results
In your example, the following error shows:
Get-WinEvent : Cannot bind parameter 'FilterXml'. Cannot convert value "<QueryList>
<Query Id="0">
<Select Path="Application">
*[System[(Level <= 3)]]
</Select>
/Query>
</QueryList>" to type "System.Xml.XmlDocument".
... which is caused by a typo:
<Query Id="0">
...
/Query>
The fix is:
</Query>
Tdev Test
Dec 15, 2023, 4:04:51 AM12/15/23
to Java Native Access
Hi, thanks for your feedback, I will check the PowerShell-thing. The typo is just a mistake while copy the xml into the mail, it is not present in my java source code.
Kind regards Thomas
Andreas Kuhtz
Dec 15, 2023, 4:27:01 AM12/15/23
to jna-...@googlegroups.com
Hello,
Maybe the '<' in
Level <= 3
must be "escaped".
--
You received this message because you are subscribed to the Google Groups "Java Native Access" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jna-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jna-users/2d58997b-db58-4c1c-9986-9741ea5d5e86n%40googlegroups.com.
Tdev Test
Dec 15, 2023, 7:57:02 AM12/15/23
to Java Native Access
Hi, replacing "<" by " <" did the trick. Thank's. The PowerShell example shows this as well. Looks like, the PowerShell tool is great for testing and developing the right syntax.
Kind regards
Thomas
Kind regards
Thomas
Tdev Test
Dec 15, 2023, 9:23:50 AM12/15/23
to Java Native Access
Remark, if someone else come across: I experimented with the PowerShell thing and realized two points:
a) the text says "... get events that occurred in the last 24-hours from the Windows PowerShell event log ..." but the script yields results from all event logs, not only Windows Powershell. I had to mofify the syntax to get just these log entries:
$xmlQuery = @'
<QueryList>
<Query Id="0">
<Select Path="Windows PowerShell">
*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]
</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXML $xmlQuery
b) there is another intresing way to test the filtersyntax explained here: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
a) the text says "... get events that occurred in the last 24-hours from the Windows PowerShell event log ..." but the script yields results from all event logs, not only Windows Powershell. I had to mofify the syntax to get just these log entries:
$xmlQuery = @'
<QueryList>
<Query Id="0">
<Select Path="Windows PowerShell">
*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]
</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXML $xmlQuery
b) there is another intresing way to test the filtersyntax explained here: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
Reply all
Reply to author
Forward
0 new messages