ansaurus

Question

Select top 10 events from wevtutil using xpath

Answer 1

A:

You can use the position() function to limit the results you're getting:

/root/element[position()<=10]

For example, that would select the first ten element elements which are children of the root.

If your structure is more complicated, you can use the position element in different places. For example, if the element element can exist in more than one parent, but you want the first ten of them regardless of parent, you can do it this way:

(/root/parent1/element | /root/parent2/element)[position()<=10]

Welbog 2010-10-21 18:10:42

That sort of helps. How would I do the grouping though? I'll edit the original post to share a sample Event.

Skudd 2010-10-21 18:17:09

XPath doesn't have grouping built into it.

Welbog 2010-10-21 18:19:06

Answer 2

+1 A:

In SQL, what I would be doing is something like this:
SELECT log.*, COUNT(1) numHits 
FROM Application log 
GROUP BY Source, Task, Level, Description 
ORDER BY numHits DESC 
LIMIT 10
Is it possible to do such a thing using xpath?

In case no sorting is necessary, one can get the first $n nodes selected by any XPath expression by:

(ExpressionSelectingNodeSet)[not(position() > $n)]

where $n can be substituted by a specific number

If there is a requirement that the nodes be sorted on one or more sort-keys, then this is not possible pure XPath, but one can easily perform such tasks with XSLT, using the <xsl:sort> instruction and the XPath position() function:

<xsl:stylesheet version="1.0"
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform"&gt;
 <xsl:output omit-xml-declaration="yes" indent="yes"/>

 <xsl:template match="/*">
  <nums>
   <xsl:for-each select="num">
    <xsl:sort data-type="number" order="descending"/>
     <xsl:if test="not(position() > 5)">
      <xsl:copy-of select="."/>
     </xsl:if>
   </xsl:for-each>
  </nums>
 </xsl:template>
</xsl:stylesheet>

When this transformation is applied on the following XML document:

<nums>
  <num>01</num>
  <num>02</num>
  <num>03</num>
  <num>04</num>
  <num>05</num>
  <num>06</num>
  <num>07</num>
  <num>08</num>
  <num>09</num>
  <num>010</num>
</nums>

the correct result, containing only the top 5 numbers is produced:

<nums>
    <num>010</num>
    <num>09</num>
    <num>08</num>
    <num>07</num>
    <num>06</num>
</nums>

Dimitre Novatchev 2010-10-21 18:17:15

Answer 3

+1 A:

XPath 1.0 has four data types: string, number, boolean and node set.

The only XPath ordering criteria is document order (in the given axis direction). That is how you can limit any result node set as @Dimitre and @Welbog have sugested with fn:position().

But, there is no specification that an XPath engine must provide a node set result in any given order. So, you can't sort nor grouping in XPath 1.0. You can select the firsts of each group, but not efficiently. As example:

//Event[not(System/Level = preceding::Level) or 
        not(System/Task = preceding::Task)]

XPath 2.0 has the sequence data type. A sequence has the exclicit order of construction. So, you can group. As example:

for $event (//Event)[index-of(//Event/System/concat(Level,'++',Task),
                              System/concat(Level,'++',Task))[1]]
result //Event[System/Level = $event/System/Level]
              [System/Task = $event/System/Task]

But, because XPath 2.0 has not built-in sorting nor recursion mechanism (you could provide an extension function...) you can't sort.

For that you need a language with built-in sorting or a way to express its algorithm. Both XSLT (1.0 or 2.0) and XQuery have these features.

Alejandro 2010-10-21 22:48:07

ansaurus

tags:

views:

answers:

Select top 10 events from wevtutil using xpath

related questions