XPath greater than operator?

Question

I'm trying to select all event log entries beyond a certain date. So far I think I got equals, but I don't know how to change this to greater than the specified date... so close yet so far!

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[TimeCreated[@SystemTime='2013-01-01T12:21:25.0000000']]]</Select>
  </Query>
</QueryList>

Presumably this is an XPath 1.0 question, because in 2.0 it would be trivial. You really need to say. — Michael Kay, Feb 13 '13 at 21:48
Sorry not an XPath expert. Query would run against the eventlog of a Windows Server 2008 R2. Does that help? — codeputer, Feb 13 '13 at 22:07
There are many different XPath processors that run on Windows, some support XPath 2.0 and some don't. XPath 2.0 allows order comparisons on strings; XPath 1.0 does not. — Michael Kay, Feb 14 '13 at 21:48

score 2 · Accepted Answer · answered Feb 14 '13 at 00:42

I found the best way to create a XPath query for EventLog. See here on how to create a custom view. After you create the custom view, with whatever filter you want, simply click on the XML, and voila, it shows you the XPath query that it constructed itself!

The next challenge was the formating of the date. I used this: "yyyy-MM-ddThh:mm:ss:fffZ"

I also think you cannot create a filter that says, shows me everything after this date. So I simply recreated a range between the date I wanted and the current date.

For completeness, here is the filter that I created (who dreams up specs for this?)

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level 2 or Level=3) and TimeCreated[@SystemTime&gt;='2013-01-01T12:00:00:000Z' and @SystemTime&lt;='2013-02-13T05:30:34:948Z']]]</Select>
</Query>
</QueryList>

For future reference: if one would like to use @codeputer query as an "inline" query (not sure what's the correct term), i.e., to only use the text under the `Select` tag, then `gt;=` and `lt;=` should be replaced with `>=` and `<=` respectively. I got an exception otherwise. — OfirD, Sep 09 '19 at 14:57

score 1 · Answer 2 · answered Feb 13 '13 at 19:47

1

Use something like this:

*[System[TimeCreated[
    number(translate(substring-before(@SystemTime, 'T'), '-', '')) > 20130101]]]

If you need to consider the entire string, then strip everything unnecessary to the comparison:

*[System[TimeCreated[
    number(translate(@SystemTime, '-T:.', '')) > 201301011221250000000]]]

answered Feb 13 '13 at 19:47

Wayne

59,728
15
131
126

I'm trying this by create a view in the event log and pasting in the XML. It tells me there is an error, but nothing else. I've tried both. I notice however that > gets changed to > which can't be right. How do I prevent that? – codeputer Feb 13 '13 at 22:08
1

OP was trying to query event logs, [which only supports a subset of XPath 1.0](https://learn.microsoft.com/en-us/previous-versions//aa385231(v=vs.85)#selection-limitations). It seems that `number`, `translate`, `substring-before` are not supported. – OfirD Sep 09 '19 at 14:40

XPath greater than operator?

2 Answers2