This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 83%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello!
I have created a Rule for requesting Events from WindowsEventMonitor.
In AlertDescription I want to Display some Information of Params/Parm[x]
Here is the EventData
<DataItem type="Microsoft.Windows.EventData" time="2024-05-08T11:17:49.9553985+02:00" sourceHealthServiceId="84C91BC2-139C-5D79-2143-9D822762D6AA">
<EventOriginId>{0264B512-C329-4ACF-9817-EBB6E1E103E4}</EventOriginId>
<PublisherId>{41738E55-CC1E-D752-EAD2-03A174254D61}</PublisherId>
<PublisherName>PublisherName</PublisherName>
<EventSourceName>PublisherName</EventSourceName>
<Channel>PublisherName/Operational</Channel>
<LoggingComputer>LoggingComputer</LoggingComputer>
<EventNumber>99</EventNumber>
<EventCategory>0</EventCategory>
<EventLevel>4</EventLevel>
<UserName>N/A</UserName>
<RawDescription><![CDATA[%1 ]]></RawDescription>
<LCID>1033</LCID>
<Params>
<Param>1.3.6.1.4.1.28126.11.8.101</Param>
<Param>In Version 2 nicht verfügbar</Param>
<Param>10.18.124.1:54270</Param>
<Param>public</Param>
<Param>1.3.6.1.4.1.28126.11.1.1</Param>
<Param>1974845077</Param>
<Param>1.3.6.1.4.1.28126.11.1.2</Param>
<Param>1</Param>
<Param>1.3.6.1.4.1.28126.11.1.3</Param>
<Param>Device rebooted: power-on TEST</Param>
<Param>1.3.6.1.4.1.28126.11.1.4</Param>
<Param>10257</Param>
<Param>1.3.6.1.4.1.28126.11.1.5</Param>
<Param>NetworkName</Param>
<Param>1.3.6.1.4.1.28126.11.1.6</Param>
<Param>IP-Address</Param>
<Param>1.3.6.1.4.1.28126.11.1.7</Param>
<Param>0</Param>
<Param>1.3.6.1.4.1.28126.11.1.8</Param>
<Param>1.3.6.1.4.1.28126.11.1.9</Param>
<Param>1.3.6.1.4.1.28126.11.1.10</Param>
<Param>2024-05-08 11:17:45</Param>
<Param>1.3.6.1.4.1.28126.11.1.11</Param>
<Param>MonitorName</Param>
<Param>1.3.6.1.4.1.28126.11.1.12</Param>
<Param>865</Param>
<Param>1.3.6.1.4.1.28126.11.1.13</Param>
<Param>4649</Param>
<Param>1.3.6.1.4.1.28126.11.1.14</Param>
<Param>Name</Param>
<Param>1.3.6.1.4.1.28126.11.1.15</Param>
<Param>1.3.6.1.4.1.28126.11.1.16</Param>
<Param>Type</Param>
<Param>1.3.6.1.4.1.28126.11.1.17</Param>
<Param>SN</Param>
<Param>1.3.6.1.4.1.28126.11.1.18</Param>
<Param>xxxx</Param>
<Param>1.3.6.1.4.1.28126.11.1.19</Param>
<Param>Location</Param>
<Param>1.3.6.1.4.1.28126.11.1.20</Param>
</Params>
<EventData>
<DataItem type="System.XmlData" time="2024-05-08T11:17:49.9553985+02:00" sourceHealthServiceId="84C91BC2-139C-5D79-2143-9D822762D6AA">
<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<Data>1.3.6.1.4.1.28126.11.8.101</Data>
<Data>In Version 2 nicht verfügbar</Data>
<Data>10.18.124.1:54270</Data>
<Data>public</Data>
<Data>1.3.6.1.4.1.28126.11.1.1</Data>
<Data>1974845077</Data>
<Data>1.3.6.1.4.1.28126.11.1.2</Data>
<Data>1</Data>
<Data>1.3.6.1.4.1.28126.11.1.3</Data>
<Data>Device rebooted: power-on TEST</Data>
<Data>1.3.6.1.4.1.28126.11.1.4</Data>
<Data>10257</Data>
<Data>1.3.6.1.4.1.28126.11.1.5</Data>
<Data>NetworkName</Data>
<Data>1.3.6.1.4.1.28126.11.1.6</Data>
<Data>IP-Address</Data>
<Data>1.3.6.1.4.1.28126.11.1.7</Data>
<Data>0</Data>
<Data>1.3.6.1.4.1.28126.11.1.8</Data>
<Data/>
<Data>1.3.6.1.4.1.28126.11.1.9</Data>
<Data/>
<Data>1.3.6.1.4.1.28126.11.1.10</Data>
<Data>2024-05-08 11:17:45</Data>
<Data>1.3.6.1.4.1.28126.11.1.11</Data>
<Data>MonitorName</Data>
<Data>1.3.6.1.4.1.28126.11.1.12</Data>
<Data>865</Data>
<Data>1.3.6.1.4.1.28126.11.1.13</Data>
<Data>4649</Data>
<Data>1.3.6.1.4.1.28126.11.1.14</Data>
<Data>Name</Data>
<Data>1.3.6.1.4.1.28126.11.1.15</Data>
<Data/>
<Data>1.3.6.1.4.1.28126.11.1.16</Data>
<Data>Type</Data>
<Data>1.3.6.1.4.1.28126.11.1.17</Data>
<Data>SN</Data>
<Data>1.3.6.1.4.1.28126.11.1.18</Data>
<Data>xxxx</Data>
<Data>1.3.6.1.4.1.28126.11.1.19</Data>
<Data>Location</Data>
<Data>1.3.6.1.4.1.28126.11.1.20</Data>
<Data/>
</EventData>
</DataItem>
</EventData>
<EventDisplayNumber>99</EventDisplayNumber>
<EventDescription><![CDATA[1.3.6.1.4.1.28126.11.8.101 ]]></EventDescription>
<Keywords>36028797018963968</Keywords>
</DataItem>
You can see that empty EventDataItems are not listed in the Parameter-Section
DataItem
<Data>1.3.6.1.4.1.28126.11.1.8</Data>
<Data/>
<Data>1.3.6.1.4.1.28126.11.1.9</Data>
<Data/>
Parameter:
<Param>1.3.6.1.4.1.28126.11.1.8</Param>
<Param>1.3.6.1.4.1.28126.11.1.9</Param>
<Param>1.3.6.1.4.1.28126.11.1.10</Param>
My Problem:
I want to get the Data-Item "Date" (<Data>2024-05-08 11:17:45</Data>) which have the position [24]
But in ParameterSection it has position [22] because the 2 empty-Data-Strings will not be displayed in ParameterSection.
Is it possible to get the Item from ParameterSection like <AlertParameter1>$Data/EventData/DataItem/EventData/Data[24]$</AlertParameter1>?
This example returns no value.
rg
Hansi
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 81%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
To retrieve the data item "Date" from the ParameterSection, you can use the following XPath expression: For more information click here.
xml
Copy code
<AlertParameter1>$Data/EventData/DataItem/EventData/Data[24]$</AlertParameter1>
This should fetch the desired value for you. If it's not returning any value, ensure that the XPath expression is correct and matches the structure of your XML data accurately. If you continue to face issues, consider revising the expression or seeking assistance from someone familiar with XPath and XML parsing.