Parse XML Content From Task Triggers

Extract and analyze XML data from scheduled tasks using the parseXml() function

Query

logscale

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.LogonTrigger.Enabled)
| Trigger=*
| table([aid, Trigger, TaskXml], limit=1000)

Introduction

The parseXml() function can be used to parse XML content from fields, making the structured data available for analysis.

In this example, the parseXml() function is used to extract trigger information from scheduled task XML data.

Example incoming data might look like this:

@timestamp	aid	event_simpleName	TaskXml
2025-10-15T10:00:00Z	aid123	ScheduledTaskRegistered	<Task><Triggers><LogonTrigger><Enabled>true</Enabled></LogonTrigger></Triggers></Task>
2025-10-15T10:01:00Z	aid124	ScheduledTaskRegistered	<Task><Triggers><LogonTrigger><Enabled>false</Enabled></LogonTrigger></Triggers></Task>
2025-10-15T10:02:00Z	aid125	ScheduledTaskRegistered	<Task><Triggers><LogonTrigger><Enabled>true</Enabled></LogonTrigger></Triggers></Task>
2025-10-15T10:03:00Z	aid126	ScheduledTaskRegistered	<Task><Triggers><LogonTrigger><Enabled>false</Enabled></LogonTrigger></Triggers></Task>

Step-by-Step

Starting with the source repository events.
logscale
```
#event_simpleName=ScheduledTaskRegistered
```
Filters events where event_simpleName equals ScheduledTaskRegistered.
logscale
```
| parseXml(TaskXml)
```
Parses the XML content from the TaskXml field. The function creates a structured object with the parsed XML data, making nested elements accessible using dot notation.
logscale
```
| Trigger:=rename(Task.Triggers.LogonTrigger.Enabled)
```
Creates a new field named Trigger containing the value from the parsed XML path Task.Triggers.LogonTrigger.Enabled.
logscale
```
| Trigger=*
```
Filters to keep only events where Trigger has a value. This line can be removed if empty trigger values should be included in the results.
logscale
```
| table([aid, Trigger, TaskXml], limit=1000)
```
Creates a table showing the aid, Trigger, and original TaskXml fields, limited to 1000 rows.
Event Result set.

Summary and Results

The query is used to extract and analyze trigger settings from scheduled task XML data.

This query is useful, for example, to monitor and audit scheduled task configurations and identify tasks with specific trigger settings.

Sample output from the incoming example data:

aid	Trigger	TaskXml
aid123	true	<Task><Triggers><LogonTrigger><Enabled>true</Enabled></LogonTrigger></Triggers></Task>
aid124	false	<Task><Triggers><LogonTrigger><Enabled>false</Enabled></LogonTrigger></Triggers></Task>
aid125	true	<Task><Triggers><LogonTrigger><Enabled>true</Enabled></LogonTrigger></Triggers></Task>
aid126	false	<Task><Triggers><LogonTrigger><Enabled>false</Enabled></LogonTrigger></Triggers></Task>

Versions of this Page

Examples Library