Windows 用于在一天中的某个小时过滤事件的任务计划程序 XPath
Windows Task Scheduler XPath for filtering event on hour of day
我正在创建自定义事件过滤器,以便从 Windows 任务计划程序触发任务。只有在 x 点之前发生的事件,我才需要 select 我的事件。
以下是事件 XML 我关心的部分:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
到目前为止,我有以下 XPath,但缺少时间限制:
<QueryList>
<Query Id="0" Path="Cisco AnyConnect Secure Mobility Client">
<Select Path="Cisco AnyConnect Secure Mobility Client">*[System[Provider[@Name='acvpnagent'] and (EventID=2039)</Select>
</Query>
</QueryList>
是否可以为 TimeCreated 添加一个条件来满足我的约束条件?在 Windows 10 上,我仍然仅限于 XPath 1.0 吗?
此 XPath 1.0 表达式将 select Event 节点如下
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
此 XPath 将根据 OP 示例中的标准select 个节点
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039]
虽然此 XPath 部分将按时间添加过滤器
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000
日期处理
给定 ISO-8601 日期为 2021-11-01T04:24:49.6333217Z,这将 return HH:mm:ss 部分
substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),".")
结果:04:24:49
让我们删除分号:
translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")
结果:042449
最后,将其设为一个数字并与所需的限制进行比较
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000
给出这个 XML 样本
<root>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T11:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T22:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
</root>
使用此 XPath
查找符合条件且发生在 11:00:00 之前的事件
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
结果:
echo -e 'setns x=http://schemas.microsoft.com/win/2004/08/events/event\ncat //x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]' | xmllint --shell tmp.xml
/ > setns x=http://schemas.microsoft.com/win/2004/08/events/event
/ > cat //x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
/ >
如果使用完整日期进行比较,这将是 XPath 表达式
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(./x:System/x:TimeCreated/@SystemTime,"."),"T:-","")) < 20211101110000]
注1:以./开头的表达式在当前节点上下文中进行求值。
注释 2:我没有 Windows 来测试,但 XPath 1.0 基本上独立于 language/OS,所以它应该可以工作。 OP 需要在他的实现中添加命名空间处理,或者从这个答案的表达式中删除 x: 命名空间前缀。
我正在创建自定义事件过滤器,以便从 Windows 任务计划程序触发任务。只有在 x 点之前发生的事件,我才需要 select 我的事件。
以下是事件 XML 我关心的部分:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
到目前为止,我有以下 XPath,但缺少时间限制:
<QueryList>
<Query Id="0" Path="Cisco AnyConnect Secure Mobility Client">
<Select Path="Cisco AnyConnect Secure Mobility Client">*[System[Provider[@Name='acvpnagent'] and (EventID=2039)</Select>
</Query>
</QueryList>
是否可以为 TimeCreated 添加一个条件来满足我的约束条件?在 Windows 10 上,我仍然仅限于 XPath 1.0 吗?
此 XPath 1.0 表达式将 select Event 节点如下
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
此 XPath 将根据 OP 示例中的标准select 个节点
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039]
虽然此 XPath 部分将按时间添加过滤器
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000
日期处理
给定 ISO-8601 日期为 2021-11-01T04:24:49.6333217Z,这将 return HH:mm:ss 部分
substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),".")
结果:04:24:49
让我们删除分号:
translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")
结果:042449
最后,将其设为一个数字并与所需的限制进行比较
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000
给出这个 XML 样本
<root>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T11:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T22:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
</root>
使用此 XPath
查找符合条件且发生在 11:00:00 之前的事件//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
结果:
echo -e 'setns x=http://schemas.microsoft.com/win/2004/08/events/event\ncat //x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]' | xmllint --shell tmp.xml
/ > setns x=http://schemas.microsoft.com/win/2004/08/events/event
/ > cat //x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/@SystemTime,"T"),"."),":","")) < 110000]
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
/ >
如果使用完整日期进行比较,这将是 XPath 表达式
//x:Event[./x:System/x:Provider/@Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(./x:System/x:TimeCreated/@SystemTime,"."),"T:-","")) < 20211101110000]
注1:以./开头的表达式在当前节点上下文中进行求值。
注释 2:我没有 Windows 来测试,但 XPath 1.0 基本上独立于 language/OS,所以它应该可以工作。 OP 需要在他的实现中添加命名空间处理,或者从这个答案的表达式中删除 x: 命名空间前缀。