I am looking to see if there is a way to only have an analysis run between say 8 AM and 10 AM client local time… Thanks
Can you provide an example?
You mean analysis properties?
What is the use case?
You can limit the interval for analysis properties to report, (like once an hour) but you can’t set when they would report. Part of the reason for this is the property reporting interval is the most frequent a client would evaluate and report, but a client could always report in less often due to being offline, powered down, or in the middle of a long relevance evaluation at the moment the interval happens. You generally want the reporting interval for analysis properties to be twice as often as you think you need it so that clients are most likely to send fresh data, but also not less than once an hour for efficiency of the client. (once every 6 hours or less often is ideal)
You could however set them to report once every 30 days, but then make a minor change to a property relevance with the REST API every 8am to cause clients to report in fresh… but I don’t think I would generally recommend this solution.
There is probably a much better solution that would meet your needs, but I would need to know more info to be certain.
So the use case is, we have long running McAfee ODS scans, I have an analysis that looks for the presence of “Scan64.exe” I only care if this process is present after 8 AM, when the scheduled ODS scans are set to end. I was thinking of a client setting like the maintenance window possible to use. I pull the results of the analysis into our ticket coding system and generate tickets based off the fact that the Scan64.exe application is running past it’s allotted time.
You might consider adding this to your Analysis relevance
q: current time_of_day > "08:00:00" as time_of_day & local time zone and current time_of_day < "23:59:59" as time_of_day & local time zone
A: True
Or in the property relevance itself:
current time_of_day > "08:00:00" as time_of_day & local time zone and current time_of_day < "23:59:59" as time_of_day & local time zone AND exists process "scan64.exe"
6 Likes
Thanks brolly33 I went with option2
I would report a value to the property that included the current time if the process is running, or NOTHING if it is not running, then set it to report once every 30 minutes or something like that. Then you should have accurate data by 8:30am to generate tickets from by examining the results of this value and the last report time of the client.
This only works for actions.
This will work but only if the client is still reporting in. If this value becomes true and the client is powered off and stays off, then it will continue to report TRUE forever (until the client is powered back on and the value can be updated). Same if it is powered off just before it updates it from FALSE.
It is nice to have this evaluated on the endpoint, but with the raw data, you can do more on the REST API automation side to interpret the raw data and handle it more gracefully.
It might be enough to just use the true/false of the process running and the last report time.
One thing that is annoying if you do use more raw data in the property results is it isn’t super useful when looking at the analysis results to immediately tell what is going on. You can use a Custom Console Dashboard and/or a Web Report to give a view into the raw data but also allowing for the data to be interpreted and presented in it’s non-raw form. I do have examples, but many of them are a bit complicated, but this one comes to mind: bigfix-content/dashboards/Computer_Filter_Search.ojo at main · jgstew/bigfix-content · GitHub
I do have a presentation and a series of self directed labs for creating custom dashboards if you are interested: jgstew.github.io/_posts/2018-10-29-Open-BigFix-Console-Presentation-Debugger.md at master · jgstew/jgstew.github.io · GitHub