Query XML Event Log Data using SQL
Question
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 4.0.30319.0" />
<EventID Qualifiers="32768">1309</EventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-10-10T01:37:16.000000000Z" />
<EventRecordID>14870</EventRecordID>
<Channel>Application</Channel>
<ComputerXXXXX</Computer>
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>10/10/2014 02:37:16</Data>
<Data>10/10/2014 01:37:16</Data>
<Data>f68c3bc5c6594c02bf13a5a99a0627a3</Data>
<Data>8138</Data>
<Data>15</Data>
<Data>0</Data>
<Data>/LM/W3SVC/3/ROOT-1-XXXXXX</Data>
<Data>Full</Data>
<Data>/</Data>
<Data>C:\Web\XXXXX\</Data>
<Data>XXXXX</Data>
<Data />
<Data>31428</Data>
<Data>w3wp.exe</Data>
<Data>Domain\User</Data>
<Data>HttpException</Data>
<Data>Exception of type 'System.Web.HttpException' was thrown.
at System.Web.Handlers.TraceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at etc
</Data>
<Data>http://XXX/trace.axd</Data>
<Data>/trace.axd</Data>
<Data>XXX.XXX.XX.XX</Data>
<Data />
<Data>False</Data>
<Data />
<Data>XXXXX</Data>
<Data>57</Data>
<Data>XXXXXX</Data>
<Data>False</Data>
<Data> at System.Web.Handlers.TraceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at etc
</Data>
</EventData>
</Event>
...
etc
</Events>
I have saved some Windows Event logs as XML, I have inserted these into SQL using the following method:
CREATE TABLE XmlSourceTable
(
RecordId INT IDENTITY(1,1) NOT NULL PRIMARY KEY,
XmlData XML NOT NULL
)
GO
INSERT INTO XmlSourceTable(XmlData)
SELECT
*
FROM OPENROWSET (BULK 'C:\xmlfile.xml', SINGLE_CLOB)
AS XMLData
I am attempting to query the XML using the following method but cannot get it to work at all.
SELECT
WEvent.query('System') as SystemFragmentXML
FROM
XmlSourceTable CROSS APPLY
XmlData.nodes('/Events/Event') AS WindowsEvent(WEvent)
Can anyone help me out?
2 answers
solution1
1 2014-10-10 13:52:43
Your XML has default namespace declared at <Event> node level. So basically that node, and all of it's descendants are in the same namespace.
You need to register a prefix that point to the default namespace, and use that prefix in the XPath, for example :
;WITH XMLNAMESPACES('http://schemas.microsoft.com/win/2004/08/events/event' as d)
SELECT
WEvent.query('d:System') as SystemFragmentXML
FROM
XmlSourceTable CROSS APPLY
XmlData.nodes('/Events/d:Event') AS WindowsEvent(WEvent)
solution2
1 2014-10-10 13:52:53
First of all, your XML is broken - you have several XML elements (like <Computer> ) that aren't properly closed and you're missing a closing </Events> .
Once I had fixed these issues, then the next problem is that you're blatantly ignoring the XML namespace that's defined on the <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> node.
Try this query (using native XQuery support instead of legacy OPENROWSET ):
;WITH XMLNAMESPACES ('http://schemas.microsoft.com/win/2004/08/events/event' AS we)
SELECT
XC.query('we:System') as SystemFragmentXML
FROM
dbo.XmlSourceTable
CROSS APPLY
XmlData.nodes('/Events/we:Event') AS XT(XC)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.