Expressions in XML format for structured data

Structured data in XML format contains one or more properties, which are represented as key-value pairs.

You can extract properties from an event that is in XML format by writing an expression that matches the property. Valid XML expressions are in the form of a single key reference.

Enter the path to the XML field that you want to use to populate the property's value. An XML key path must begin with a forward slash (/) to indicate the root of the XML object, and be followed by one or more XML field names within double quotation marks.

The following example shows an event that is in XML format:

<EPOEvent><MachineInfo><MachineName>NEPTUNE</MachineName><MachineName>VALUE23</MachineName><AgentGUID>9B-B5-A6-A8-37-B3</AgentGUID><IPAddress someattrib="someattribvalue">192.0.2.0</IPAddress><OSName>Windows 7</OSName><UserName>I am a test user</UserName></MachineInfo></EPOEvent>

To capture the value nested in the top-level OSName object, type /"EPOEvent"/"MachineInfo"/"OSName" in the Expression field.

To capture the attribute value, use a period (.) after the key path. For example, to capture someattribvalue, type /"EPOEvent"/"MachineInfo"/"IPAddress".someattrib in the Expression field.

To combine multiple fields together with multiple paths, use set brackets to enclose each. For example, {/"EPOEvent"/"MachineInfo"/"OSName"} {/"EPOEvent"/"MachineInfo"/"MachineName"[1]}

To capture the value that is nested within multiple tags with the same name, use [0], [1], and so on, after the key path. For example, to capture VALUE23, type /"EPOEvent"/"MachineInfo"/"MachineName"[1] in the Expression field.

Matches in the payload are highlighted in the event data in the Workspace of the DSM Editor.