How to select for content contains substring in Windows Event Viewer using XPath 1.0?

Question

Windows Event Viewer (WEV) allows custom queries using "a subset of XPath 1.0."1 I've been unsuccessfully struggling for a couple hours to craft a query that works. I'm hoping someone on the stack knows XPath 1.0 better than I... At this point I'm not sure if the XPath "subset" WEV accepts doesn't accept contains(), or if I'm just not crafting a valid query. (I am very n00b at XPath.)

What I think should work is *[EventData[Data[contains(text(),"foo"]]] or *[Event[contains(Data, "foo")]]. The intent is to select every node that has an EventData element that has a Data element that contains the substring "foo" in its text content.

FWIW, the query *[EventData[Data]] does select every node that has an EventData element that has a Data element. I just need to narrow the 30,622 results down to the 7 that I know contain "foo".

Edit

@gilles-quénot was unclear on what I'm asking, so here are step by step how to reproduce and expected output:

1. Open Windows Event Viewer (%windir%\system32\eventvwr.msc /s)

2. Open the System logs

3. Click on Create Custom View... (on right side of window), select the XML tab, and enable Edit query manually.

4. Change the query to:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[EventData[Data[@Name="updateTitle"]]]</Select>
  </Query>
</QueryList>

5. Click the OK button twice, and you should have selected a couple hundred to a couple thousand events depending on how many updates your system has had. Here is an example event:

6. Edit the filter to change the Select element to <Select Path="System">*[EventData[contains(Data, "Intelligence Update")]]</Select>, click OK twice and you should get this error message:

No messages are selected.

Edit 2

I found a link that documents WEV's XPath 1.0 limitations. Unfortunately, I find the documentation a little ambiguous. On the one hand it says "Any valid XPath expression is acceptable if the location paths conform to the following restrictions." In those restrictions it does not say the XPath 1.0 functions are not supported, and it explicitly says the position function, band function, and timediff functions are supported.

On the other hand, it definitely seems WEV does not accept a valid XPath 1.0 query (e.g. "*[EventData[Data[contains(., "Intelligence Update")]]]), so the implications is that WEV does not support any of the XPath 1.0 functions except the three mentioned in the restrictions.

Comment on possible duplicates

This question was marked as a duplicate, but it doesn't overlap with any of the questions that were proposed as duplicates. My query is specifically for Windows Event Viewer which uses XPath 1.0 syntax as part of its filter implementation.

It is probable that future users of Windows Event Viewer will have this question and might not find it if this question is closed, because the others do not reference WEV.

Answer 1

With the sample data you have shown, where there are several Data elements, instead of <Select Path="System">*[EventData[contains(Data, "Intelligence Update")]]</Select>, I think you need <Select Path="System">*[EventData[Data[contains(., "Intelligence Update")]]]</Select>. But that is just in terms of XPath (1) syntax and semantics, I have no idea whether it will work in the particular, somehow restricted environment you use.