This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 93%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Hi Team,
We are working on extracting keys and values from XML event logs for some data analytics applications. While working on designing the parser we came across a different behavior that is causing an issue defining the rules for the parser.
Consider an example event below:
<Event xmlns='http://xyz.pqr.abc/win/2004/08/events/event'>
<System>
<TimeCreated SystemTime='2021-03-11 10:06:17Z' />
</System>
<EventData>
<Data Name='WorkstationName'></Data>
<Data Name='TransmittedServices'>dummyvalue</Data>
</EventData>
</Event>
I have removed other irrelevant fields from the above event.
So what we expect is
Expected: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
Actual: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
and for (ambiguity is present here)
Expected: EventData.Data.Name.WorkstationName = <empty value>
Actual: EventData.Data.Name = WorkstationName
and for
Expected: EventData.Data.Name.TransmittedServices = dummyvalue
Actual: EventData.Data.Name.TransmittedServices = dummyvalue (since it has value)
But if we define a specific rule then this would not result in what we want, as you can see above.
Is there any way that can help us resolve this issue or any windows document which can define the rules for the format of the event?
Please suggest if there is some way to move ahead here.
Thank You
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 26%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYK%3C/text%3E%3C/svg%3E)
It is not clear what technology you are using to query Windows XML Event Logs.
Please add it to you question.
Actually, it's a third-party data analytics tool, which collects the data. But the medium seems irrelevant since the exact logs in event viewer in XML format are received.
Hello,
Thank you for your question..
As far I know you can create custom Query or View using XPath to fetch the event viewer data.
Please have look on below Microsoft article which may help you further.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Thanks a lot for your input. but the issue here is we will be providing an application to the users, and we expect our application to work in the default configuration and don't want to have any additional configuration. So we will get the logs in the format which is the default one, we need to have our parser such that it handles this scenario.
So for example, if we have one rule than it will have ambiguity for this two lines in log(refer the xml above):
Expected: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
Actual: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
and for (ambiguity is present here)
Expected: EventData.Data.Name.WorkstationName = <empty value>
Actual: EventData.Data.Name = WorkstationName
Hello,
Thank you for response
As per my experience there is no way you can change this built-in behavior and I think you need to handle it programmatically.
@Limitless Technology
Yes correct, this needs to be handled programmatically, but we are figuring out the best way to handle this. As in If I can be sure that tags that have no </> closing tag, will not contain any data within tag except attributes or maybe the tags within EventData with Data Name which has a specific closing tag, may contain empty value and data as well.