#1
  1. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,451
    Rep Power
    652

    Arrays of hasshes and foreach


    Hash syntax always seem to drive me nuts. I have an XML string I parsed with XML::Simple. It is an array of hashes that is quit large so I am not posting it unless it becomes unavoidable. I am hoping the context will be sufficient. The XML object is an array of hashes and this code prints what I expect:
    Code:
    my $xmlobj=XML::Simple->new();
    my $xml=$xmlobj->XMLin("<log>$xmlstring</log>");
    print(Dumper($xml->{Event}[0])."\n");
    print(Dumper($xml->{Event}[1])."\n");
    Since that proves I have an array of hashes, I want to put into a foreach loop:
    Code:
    my $xmlobj=XML::Simple->new();
    my $xml=$xmlobj->XMLin("<log>$xmlstring</log>");
    foreach my $node ($xml->{Event}) {
    	print(Dumper($node->{EventData})."/n");
    }
    The problem is that it tells me that $node is not a hash. Yet is sure looks that way to me from the first dumper output:
    Code:
    $VAR1 = {
              'System' => {
                          'Security' => {},
                          'Computer' => 'ctx-gpf-601-p.cisco.com',
                          'Channel' => 'Security',
                          'Execution' => {
                                         'ThreadID' => '7628',
                                         'ProcessID' => '992'
                                       },
                          'Correlation' => {},
                          'EventID' => '4624',
                          'TimeCreated' => {
                                           'SystemTime' => '2014-06-16T19:13:51.0452
    25600Z'
                                         },
                          'Task' => '12544',
                          'Keywords' => '0x8020000000000000',
                          'Version' => '0',
                          'EventRecordID' => '207031',
                          'Provider' => {
                                        'Guid' => '{54849625-5478-4994-A5BA-3E3B0328
    C30D}',
                                        'Name' => 'Microsoft-Windows-Security-Auditi
    ng'
                                      },
                          'Level' => '0',
                          'Opcode' => '0'
                        },
              'xmlns' => 'http://schemas.microsoft.com/win/2004/08/events/event',
              'EventData' => {
                             'Data' => [
                                       {
                                         'content' => 'S-1-5-20',
                                         'Name' => 'SubjectUserSid'
                                       },
                                       {
                                         'content' => 'CTX-GPF-601-P$',
                                         'Name' => 'SubjectUserName'
                                       },
                                       {
                                         'content' => 'CISCO',
                                         'Name' => 'SubjectDomainName'
                                       },
                                       {
                                         'content' => '0x3e4',
                                         'Name' => 'SubjectLogonId'
                                       },
                                       {
                                         'content' => 'S-1-5-21-1708537768-130364360
    8-725345543-9219646',
                                         'Name' => 'TargetUserSid'
                                       },
                                       {
                                         'content' => 'CTX-GPF-601-P$',
                                         'Name' => 'TargetUserName'
                                       },
                                       {
                                         'content' => 'CISCO',
                                         'Name' => 'TargetDomainName'
                                       },
                                       {
                                         'content' => '0x162b0e526',
                                         'Name' => 'TargetLogonId'
                                       },
                                       {
                                         'content' => '3',
                                         'Name' => 'LogonType'
                                       },
                                       {
                                         'content' => 'IMA',
                                         'Name' => 'LogonProcessName'
                                         'Name' => 'LogonProcessName'
                                       },
                                       {
                                         'content' => 'Kerberos',
                                         'Name' => 'AuthenticationPackageName'
                                       },
                                       {
                                         'content' => 'CTX-GPF-601-P',
                                         'Name' => 'WorkstationName'
                                       },
                                       {
                                         'content' => '{E99F8BE3-351F-BFAD-B57E-780A
    C0231083}',
                                         'Name' => 'LogonGuid'
                                       },
                                       {
                                         'content' => '-',
                                         'Name' => 'TransmittedServices'
                                       },
                                       {
                                         'content' => '-',
                                         'Name' => 'LmPackageName'
                                       },
                                       {
                                       },
                                       {
                                         'content' => '0',
                                         'Name' => 'KeyLength'
                                       },
                                       {
                                         'content' => '0x1060',
                                         'Name' => 'ProcessId'
                                       },
                                       {
                                         'content' => 'C:\\Program Files (x86)\\Citr
    ix\\system32\\Citrix\\Ima\\ImaSrv.exe',
                                         'Name' => 'ProcessName'
                                       },
                                       {
                                         'content' => '-',
                                         'Name' => 'IpAddress'
                                       },
                                       {
                                         'content' => '-',
                                         'Name' => 'IpPort'
                                       }
                                     ]
                           }
            };
    I want to process all the EventData nodes but I cannot get the right syntax in the foreach loop to reference it. Can someone point me in the right direction? TIA.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2012
    Location
    Paris area, France
    Posts
    846
    Rep Power
    500
    Sorry, from what you said, I do not know what $VAR1 is in your data structure.

    We need to see the top data structure. Please show a sample of a dump of the $xml data structure.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,451
    Rep Power
    652
    Sorry, I thought it was obvious that $VAR1 is the output from dumper.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Apr 2009
    Posts
    2,232
    Rep Power
    1297
    Try:
    Code:
    foreach my $node (@{ $xml->{Event} }) {

    Comments on this post

    • keath agrees : not sure why I can't add points. I'll revisit it later
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2012
    Location
    Paris area, France
    Posts
    846
    Rep Power
    500
    Sorry, I thought it was obvious that $VAR1 is the output from dumper.
    Sure it is obvious that is is the output of the dumper, but it is not clear to me from the dumping of which variable exactly. Is it from the $xml variable, or from some subvariable?
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Apr 2009
    Posts
    2,232
    Rep Power
    1297
    My understanding is that it's the output of this line:
    Code:
    print(Dumper($xml->{Event}[0])."\n");
  12. #7
  13. !~ /m$/
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    May 2004
    Location
    Reno, NV
    Posts
    4,274
    Rep Power
    0
    Code:
    my $nodes = $xml->{Event};
    
    if (ref($nodes) eq 'ARRAY') {
    	foreach my $node (@$nodes) {
    		print Dumper $node->{EventData};
    	}
    } else {
    	warn "not an array reference";
    }
    As Fish showed, you need to dereference in order to treat the pointer as an array.

    You can also use the ref keyword to test what kind of value you are getting.
    Last edited by keath; June 16th, 2014 at 11:13 PM.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,451
    Rep Power
    652
    Originally Posted by FishMonger
    My understanding is that it's the output of this line:
    Code:
    print(Dumper($xml->{Event}[0])."\n");
    Damn! I swear I tried that several times in my many iterations. In any case that part is working now. Thanks but you better hide because I will likely be back when I try to go to the next child node.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.

IMN logo majestic logo threadwatch logo seochat tools logo