I have an XML file for the SAG Alliance Gateway, and I'm using an XML flex connector to process it. The connector works, but I'm having trouble with a nested element in the XML. Specifically, I need to extract the value of "RequestRef" using XPath, but my current XPath expression also captures "SwiftRequestRef". Can anyone help me refine the XPath to target only "RequestRef"?
Sample XML
<?xml version="1.0"?> <Sag:EventLogList xmlns:Sag="urn:swift:sag:ns_Sag"> <Sag:EventLog> <Sag:LogSysTime>01/07/2024 14:09:50.8020</Sag:LogSysTime> <Sag:LogSequence>15953137</Sag:LogSequence> <Sag:ApplicationId><![CDATA[fin_xxxxxxxx]]></Sag:ApplicationId> <Sag:LogCorrelationId>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Sag:LogCorrelationId> <Sag:PlugInName>Sag:SN-I</Sag:PlugInName> <Sag:EventNumber>1000</Sag:EventNumber> <Sag:EventName>SNL request primitive received</Sag:EventName> <Sag:EventSeverity>Information</Sag:EventSeverity> <Sag:EventClass>Message</Sag:EventClass> <Sag:LogUnitName>None</Sag:LogUnitName> <Sag:LogMessage><![CDATA[SNL request primitive received. Received from Application : fin_xxxxxxxx (Interface : Sag:APL-I) Primitive : ExchangeRequest Payload size : 353 Requestor: cn=xxxxxxx,o=xxxxxx,o=swift Responder: cn=xxxx,cn=fin,o=swift,o=swift Service: swift.fin RequestType: DATA Priority: RequestRef: 001025F01LAFBLYLTAXXX0795275654 RequestControl: <SwInt:RequestControl> <SwInt:RequestCrypto>FALSE</SwInt:RequestCrypto> <SwInt:NRIndicator>FALSE</SwInt:NRIndicator> <Sw:ReturnSignatureList>FALSE</Sw:ReturnSignatureList> </SwInt:RequestControl> ]]></Sag:LogMessage> <Sag:LogProcess>sagpi_sni</Sag:LogProcess> <Sag:RecordVersion>0</Sag:RecordVersion> </Sag:EventLog> <Sag:EventLog> <Sag:LogSysTime>01/07/2024 14:11:05.1310</Sag:LogSysTime> <Sag:LogSequence>15953659</Sag:LogSequence> <Sag:ApplicationId><![CDATA[fin_xxxxxxxx]]></Sag:ApplicationId> <Sag:LogCorrelationId>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Sag:LogCorrelationId> <Sag:PlugInName>Sag:SN-I</Sag:PlugInName> <Sag:EventNumber>2000</Sag:EventNumber> <Sag:EventName>SNL response primitive sent</Sag:EventName> <Sag:EventSeverity>Information</Sag:EventSeverity> <Sag:EventClass>Message</Sag:EventClass> <Sag:LogUnitName>None</Sag:LogUnitName> <Sag:LogMessage><![CDATA[SNL response primitive sent. Sent to Application : fin_xxxxxxxx (Interface : Sag:APL-I) Primitive : HandleRequest Payload size : 122 SwiftRequestRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SwiftRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Requestor: cn=xxxx,cn=fin,o=swift,o=swift Responder: cn=xxxx,o=xxxxxx,o=swift Service: swift.fin RequestType: SIGNAL Priority: RequestRef: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ]]></Sag:LogMessage> <Sag:LogProcess>sagpi_sni</Sag:LogProcess> <Sag:RecordVersion>0</Sag:RecordVersion> </Sag:EventLog> </Sag:EventLogList>
my current parser :
# ArcSight FlexConnector XML File Reader Configuration # Configuration for parsing XML files # Namespace namespace.count=1 namespace[0].prefix=Sag namespace[0].uri=urn:swift:sag:ns_Sag # Hop Nodes hop.node.count=1 hop.node[0].name=EventLogList hop.node[0].expression=/Sag:EventLogList # Trigger Node trigger.node.expression=//Sag:EventLog # Token Count token.count=25 # Tokens token[0].name=LogSysTime token[0].type=TimeStamp token[0].format=dd/MM/yyyy HH:mm:ss.SSS token[0].expression=Sag:LogSysTime token[1].name=LogSequence token[1].type=Integer token[1].expression=Sag:LogSequence token[2].name=ApplicationId token[2].type=String token[2].expression=Sag:ApplicationId token[3].name=LogCorrelationId token[3].type=String token[3].expression=Sag:LogCorrelationId token[4].name=PlugInName token[4].type=String token[4].expression=Sag:PlugInName token[5].name=EventNumber token[5].type=String token[5].expression=Sag:EventNumber token[6].name=EventName token[6].type=String token[6].expression=Sag:EventName token[7].name=EventSeverity token[7].type=String token[7].expression=Sag:EventSeverity token[8].name=EventClass token[8].type=String token[8].expression=Sag:EventClass token[9].name=LogUnitName token[9].type=String token[9].expression=Sag:LogUnitName token[10].name=LogMessage token[10].type=String token[10].expression=Sag:LogMessage token[11].name=LogProcess token[11].type=String token[11].expression=Sag:LogProcess token[12].name=RecordVersion token[12].type=Integer token[12].expression=Sag:RecordVersion # Additional Tokens to split LogMessage token[13].name=SenttoApplication token[13].type=String token[13].expression=substring-before(substring-after(Sag:LogMessage, 'Sent to Application : '), '\n') token[14].name=ReceivedfromApplication token[14].type=String token[14].expression=substring-before(substring-after(Sag:LogMessage, 'Received from Application : '), '\n') token[15].name=Primitive token[15].type=String token[15].expression=substring-before(substring-after(Sag:LogMessage, 'Primitive : '), '\n') token[16].name=PayloadSize token[16].type=String token[16].expression=substring-before(substring-after(Sag:LogMessage, 'Payload size : '), '\n') token[17].name=Status token[17].type=String token[17].expression=substring-before(substring-after(Sag:LogMessage, 'Status : '), '\n') token[18].name=SwiftRequestRef token[18].type=String token[18].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRequestRef: '), '\n') token[19].name=SwiftRef token[19].type=String token[19].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRef: '), '\n') token[20].name=SwiftResponseRef token[20].type=String token[20].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftResponseRef: '), '\n') token[21].name=Requestor token[21].type=String token[21].expression=substring-before(substring-after(Sag:LogMessage, 'Requestor: '), '\n') token[22].name=Responder token[22].type=String token[22].expression=substring-before(substring-after(Sag:LogMessage, 'Responder: '), '\n') token[23].name=Service token[23].type=String token[23].expression=substring-before(substring-after(Sag:LogMessage, 'Service: '), '\n') token[24].name=RequestType token[24].type=String token[24].expression=substring-before(substring-after(Sag:LogMessage, 'RequestType: '), '\n') # Conditional Mapping using token conditionalmap.count=1 conditionalmap[0].token=EventNumber # Assuming EventNumber is the token to evaluate conditionalmap[0].mappings.count=2 # Mapping for EventNumber=2000 conditionalmap[0].mappings[0].values=2000 conditionalmap[0].mappings[0].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n') # Mapping for EventNumber=1000 conditionalmap[0].mappings[1].values=1000 conditionalmap[0].mappings[1].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n') additionaldata.enabled=true trim.values=true trim.tokens=true # Event Mappings event.deviceCustomDate1=LogSysTime event.deviceCustomDate1Label=__stringConstant(LogSysTime) event.deviceCustomNumber1=LogSequence event.deviceCustomNumber1Label=__stringConstant(LogSequence) event.deviceEventClassId=EventNumber event.deviceCustomString1=PlugInName event.deviceCustomString1Label=__stringConstant(PlugInName) event.externalId=LogCorrelationId # event.deviceCustomString3 is set by conditional mapping # event.deviceCustomString3=RequestRef # event.deviceCustomString3Label=__stringConstant(RequestRef) event.deviceSeverity=EventSeverity event.deviceCustomString4=EventClass event.deviceCustomString4Label=__stringConstant(EventClass) event.deviceCustomString5=LogUnitName event.deviceCustomString5Label=__stringConstant(LogUnitName) event.message=LogMessage event.deviceCustomString6=LogProcess event.deviceCustomString6Label=__stringConstant(LogProcess) event.deviceCustomNumber3=RecordVersion event.deviceCustomNumber3Label=__stringConstant(RecordVersion) event.name=EventName event.deviceVendor=__stringConstant(SAG) event.deviceProduct=__stringConstant(Swift) # Mapping additional tokens event.applicationProtocol=Primitive event.devicePayloadId=PayloadSize event.deviceCustomString2=Status event.deviceCustomString2Label=__stringConstant(Status) event.fileId=SwiftRequestRef event.sourceUserName=Requestor event.destinationUserName=Responder event.requestContext=RequestType # event.deviceCustomString7=Service # event.deviceCustomString7Label=__stringConstant(Service) event.sourceProcessName=SenttoApplication event.destinationProcessName=ReceivedfromApplication severity.map.veryhigh.if.deviceSeverity=Severe,Critical,Fatal severity.map.high.if.deviceSeverity=High,Major severity.map.medium.if.deviceSeverity=Medium,Warning severity.map.low.if.deviceSeverity=Low,Information,Info