XPath greater than operator?

Question

I'm trying to select all event log entries beyond a certain date. So far I think I got equals, but I don't know how to change this to greater than the specified date... so close yet so far!

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[TimeCreated[@SystemTime='2013-01-01T12:21:25.0000000']]]</Select>
  </Query>
</QueryList>

Answer 1

I found the best way to create a XPath query for EventLog. See here on how to create a custom view. After you create the custom view, with whatever filter you want, simply click on the XML, and voila, it shows you the XPath query that it constructed itself!

The next challenge was the formating of the date. I used this: "yyyy-MM-ddThh:mm:ss:fffZ"

I also think you cannot create a filter that says, shows me everything after this date. So I simply recreated a range between the date I wanted and the current date.

For completeness, here is the filter that I created (who dreams up specs for this?)

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level 2 or Level=3) and TimeCreated[@SystemTime&gt;='2013-01-01T12:00:00:000Z' and @SystemTime&lt;='2013-02-13T05:30:34:948Z']]]</Select>
</Query>
</QueryList>

Answer 2

Use something like this:

*[System[TimeCreated[
    number(translate(substring-before(@SystemTime, 'T'), '-', '')) > 20130101]]]

If you need to consider the entire string, then strip everything unnecessary to the comparison:

*[System[TimeCreated[
    number(translate(@SystemTime, '-T:.', '')) > 201301011221250000000]]]