So the basic idea is this:
<complexType name="argPairType">
<!-- name-value pair, separated by an equals sign -->
<sequence>
<element name="name" type="xs:string"
dfdl:lengthKind="delimited" dfdl:terminator="="/>
<element name="value" type="xs:string"
dfdl:lengthKind="delimited"/>
</sequence>
</complexType>
Then, in the primary structure you will use the above type:
<sequence dfdl:separator="%SP;" dfdl:terminator="%NL;">
<!-- space separated line of arg pairs. -->
<element name="arg" type="prefix:argPairType" minOccurs="0"
maxOccurs="999" dfdl:occursCountKind="implicit"/>
</sequence>
On Mon, Nov 4, 2024 at 12:42 PM simon godden <[email protected]> wrote:
> We already have examples with up to 253 arguments, and so we would not
> want to specify hundreds of identical elements in the schema.
>
> I’m looking for something that will allow me to iterate on an arbitrary
> number of arguments, up to a sensible limit.
>
> Simon Godden
>
>
> On Mon, 4 Nov 2024 at 17:23, Steve Lawrence <[email protected]> wrote:
>
>> Note that I believe with type=EXECVE audit logs, the parameter names are
>> constant (e.g. it's always executable, a0, a1, etc.). If you know all the
>> parameter names, which I think we do in this case, we can use
>> tags/initiators to
>> select the correct element which would allow you to get something like
>> the first
>> representation.
>>
>> On 2024-11-04 12:01 PM, Mike Beckerle wrote:
>> > You cannot convert data values to element names in DFDL. The best you
>> could do
>> > would be something like:
>> >
>> > <program-call>
>> > <elecutable>/bin/foo</executable>
>> > <arg><name>a0</name><value>arg0</value></arg>
>> > <arg><name>a1</name><value>arg1</value></arg>
>> > ...
>> > </program-call>
>> >
>> > On Mon, Nov 4, 2024 at 11:47 AM simon godden <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > I have linux auditd input representing a program call and its
>> > arguments with data such as this:
>> >
>> > type=EXECVE executable=/bin/foo a0=arg1 a1=arg2 a2=arg3
>> >
>> > where the number of arguments is arbitrary
>> >
>> > Is it possible to parse this to a representation such as
>> >
>> > <program-call>
>> > <executable>/bin/foo</executable>
>> > <a0>arg1</a0>
>> > <a1>arg2</a1>
>> > <a2>arg3</a2>
>> > </program-call>
>> >
>> > in a way that will also unparse to the original content, and bearing
>> > in mind that the number of arguments is arbitrary (although we would
>> > impose a suitable maximum).
>> >
>> > --
>> > Simon Godden
>> >
>>
>>
