Brilliant thank you, I just needed those hints. I'll work on a solution using this pattern.
On Mon, 4 Nov 2024 at 20:43, Mike Beckerle <mbecke...@apache.org> wrote: > > So the basic idea is this: > > <complexType name="argPairType"> > <!-- name-value pair, separated by an equals sign --> > <sequence> > <element name="name" type="xs:string" dfdl:lengthKind="delimited" > dfdl:terminator="="/> > <element name="value" type="xs:string" > dfdl:lengthKind="delimited"/> > </sequence> > </complexType> > > Then, in the primary structure you will use the above type: > > <sequence dfdl:separator="%SP;" dfdl:terminator="%NL;"> > <!-- space separated line of arg pairs. --> > <element name="arg" type="prefix:argPairType" minOccurs="0" > maxOccurs="999" dfdl:occursCountKind="implicit"/> > </sequence> > > > > > On Mon, Nov 4, 2024 at 12:42 PM simon godden <sgod...@gmail.com> wrote: >> >> We already have examples with up to 253 arguments, and so we would not want >> to specify hundreds of identical elements in the schema. >> >> I’m looking for something that will allow me to iterate on an arbitrary >> number of arguments, up to a sensible limit. >> >> Simon Godden >> >> >> On Mon, 4 Nov 2024 at 17:23, Steve Lawrence <slawre...@apache.org> wrote: >>> >>> Note that I believe with type=EXECVE audit logs, the parameter names are >>> constant (e.g. it's always executable, a0, a1, etc.). If you know all the >>> parameter names, which I think we do in this case, we can use >>> tags/initiators to >>> select the correct element which would allow you to get something like the >>> first >>> representation. >>> >>> On 2024-11-04 12:01 PM, Mike Beckerle wrote: >>> > You cannot convert data values to element names in DFDL. The best you >>> > could do >>> > would be something like: >>> > >>> > <program-call> >>> > <elecutable>/bin/foo</executable> >>> > <arg><name>a0</name><value>arg0</value></arg> >>> > <arg><name>a1</name><value>arg1</value></arg> >>> > ... >>> > </program-call> >>> > >>> > On Mon, Nov 4, 2024 at 11:47 AM simon godden <sgod...@gmail.com >>> > <mailto:sgod...@gmail.com>> wrote: >>> > >>> > I have linux auditd input representing a program call and its >>> > arguments with data such as this: >>> > >>> > type=EXECVE executable=/bin/foo a0=arg1 a1=arg2 a2=arg3 >>> > >>> > where the number of arguments is arbitrary >>> > >>> > Is it possible to parse this to a representation such as >>> > >>> > <program-call> >>> > <executable>/bin/foo</executable> >>> > <a0>arg1</a0> >>> > <a1>arg2</a1> >>> > <a2>arg3</a2> >>> > </program-call> >>> > >>> > in a way that will also unparse to the original content, and bearing >>> > in mind that the number of arguments is arbitrary (although we would >>> > impose a suitable maximum). >>> > >>> > -- >>> > Simon Godden >>> > >>> -- Simon Godden
