{"id":1241,"date":"2014-06-06T00:01:00","date_gmt":"2014-06-06T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/06\/06\/understanding-xml-and-xpath\/"},"modified":"2014-06-06T00:01:00","modified_gmt":"2014-06-06T00:01:00","slug":"understanding-xml-and-xpath","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/understanding-xml-and-xpath\/","title":{"rendered":"Understanding XML and XPath"},"content":{"rendered":"

Summary<\/b>: Microsoft Scripting Guy, Ed Wilson, explores XML and XPath<\/strong>.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. One of the things that confused me for a long time about using the Get-WinEvent<\/b> cmdlet is the difference between the –FilterXPath<\/b> parameter and the –FilterXml<\/b> parameters. Part of the problem is that there are nearly no examples to be found that illustrate using –FilterXPath<\/b>. A close look at the syntax of the Get-WinEvent<\/b> cmdlet, however, does provide a bit of a clue. I include two examples here:<\/p>\n

Get-WinEvent [[-LogName] <String[]>] [-ComputerName <String>] [-Credential<\/p>\n

<PSCredential>] [-FilterXPath <String>] [-Force] [-MaxEvents <Int64>] [-Oldest]<\/p>\n

[<CommonParameters>]<\/p>\n

 <\/p>\n

Get-WinEvent [-FilterXml] <XmlDocument> [-ComputerName <String>] [-Credential<\/p>\n

<PSCredential>] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]<\/p>\n

So the FilterXPath<\/b> parameter wants a simple string, and FilterXml<\/b> wants an actual XML document. When I see XMLDocument<\/b>, I think, “Structured XML.” Maybe I should back up just a little bit…<\/p>\n

What is XPath anyway? Well, XPath is a query language that is used for selecting nodes from an XML document. In addition, I can use XPath to compute values, but this really does not have much to do with querying data from event logs. MSDN has an XPath Reference<\/a> guide that is pretty good, but it is simply for reference. This is because the Windows event log does not contain full support for the XPath query language. Instead, it uses a subset of XPath 1.0. The Consuming Events topic in the Windows Dev Center has a section called XPath 1.0 limitations<\/a>, which is an excellent reference about the specific limitations of the XPath 1.0 subset for querying events and log files.<\/p>\n

An XPath query must resolve to select events, not a single event—it must resolve to events. All valid paths begin with either a * or the keyword Event<\/b>. The paths operate on event nodes, and they are composed of a series of steps. Each step is a structure of three parts: Axis, Node Test, and Predicate. XPath is an industry standard that has been around since 1999. The W3C has a nice language specification (XML Path Language (XPath)<\/a>), which is a good reference.<\/p>\n

The following are limitations of XPath 1.0 in regards to working with event logs:<\/p>\n

Axis<\/b>   Only the Child<\/b> (default) and Attribute<\/b> (and its shorthand @<\/b>) axis are supported.<\/p>\n

Node Test  <\/b> Only node names and NCName tests are supported. The "*<\/b>" character, which selects any character, is supported.<\/p>\n

Predicates  <\/b> Any valid XPath expression is acceptable if the location paths conform to the following restrictions:<\/p>\n