XML初次接觸

 with xmlnamespaces(default 'http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data')
 SELECT top 5 CONVERT(datetime,SWITCHOFFSET(CONVERT(datetimeoffset, event_time),DATENAME(TzOffset, SYSDATETIMEOFFSET()))) AS '觸發審核的日期和時間' ,
--b.connect_time,
        sequence_number AS '單個審核記錄中的記錄順序' ,
        action_id AS '操作的 ID' ,
        succeeded AS '觸發事件的操作是否成功' ,
        permission_bitmask AS '權限掩碼' ,
        is_column_permission AS '是否為列級別權限' ,
        a.session_id AS '發生該事件的會話的 ID' ,
        server_principal_id AS '執行操作的登錄上下文 ID' ,
        database_principal_id AS '執行操作的數據庫用戶上下文 ID' ,
        target_server_principal_id AS '執行 GRANT/DENY/REVOKE 操作的服務器主體' ,
        target_database_principal_id AS '執行 GRANT/DENY/REVOKE 操作的數據庫主體' ,
        object_id AS '發生審核的實體的 ID(服務器對象，DB,數據庫對象，架構對象)' ,
        class_type AS '可審核實體的類型' ,
        session_server_principal_name AS '會話的服務器主體' ,
        server_principal_name AS '當前登錄名' ,
        server_principal_sid AS '當前登錄名 SID' ,
        database_principal_name AS '當前用戶' ,
        target_server_principal_name AS '操作的目標登錄名' ,
        target_server_principal_sid AS '目標登錄名的 SID' ,
        target_database_principal_name AS '操作的目標用戶' ,
        server_instance_name AS '審核的服務器實例的名稱' ,
        database_name AS '發生此操作的數據庫上下文' ,
        schema_name AS '此操作的架構上下文' ,
        object_name AS '審核的實體的名稱' ,
        statement AS 'TSQL 語句（如果存在）' ,
        additional_information AS '單個事件的唯一信息，以 XML 的形式返回' ,
        file_name AS '記錄來源的審核日志文件的路徑和名稱' ,
        audit_file_offset AS '包含審核記錄的文件中的緩沖區偏移量' ,
        user_defined_event_id AS '作為 sp_audit_write 參數傳遞的用戶定義事件 ID' ,
        user_defined_information AS '于記錄用戶想要通過使用 sp_audit_write 存儲過程記錄在審核日志中的任何附加信息'--,
 --b.CLIENT_NET_ADDRESS AS 'ClientIPAddress' --into MyAudit..Audit_DYDB_UPDL
 ,additional_information--.value('(/action_info/address)[1]','varchar(20)')
FROM   sys.[fn_get_audit_file]('D:\SqlAudits\MyAudit_1FE965A7-77D0-41A6-9D40-543162C722F2_0_131486627855460000.sqlaudit',
                                DEFAULT, DEFAULT) a --left join SYS.DM_EXEC_CONNECTIONS b with(nolock)
 --on a.session_id=b.session_id
where 
--CONVERT(datetime,SWITCHOFFSET(CONVERT(datetimeoffset, event_time),DATENAME(TzOffset, SYSDATETIMEOFFSET()))) between dateadd(mi, -5,getdate()) and getdate()
--and  
action_id='LGIS'




declare @xml xml='<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>4096</packet_data_size><address>10.20.50.11</address><is_dac>0</is_dac></action_info>';


with xmlnamespaces(default 'http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data')
select @xml.value('(/action_info/address)[1]','varchar(20)')


<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>4096</packet_data_size><address>10.20.50.11</address><is_dac>0</is_dac></action_info>