Built-in variable for task, relevance name

I’m writing a task where if a specific relevance is TRUE, the action writes an entry to the computer’s Event Log. Event Log entries allow a free-form text entry, and I’d like to include some information about which relevance is being triggered. I can do this manually, but I am wondering if there is something built-in that can refer to itself.

The reason is, after we find an entry in the System’s Event Log, it would be helpful to know the exact name of the triggered relevance, so we can look at it more closely in BigFix.

Example Relevance:

exists value “TEST” of key “Software\TEST” of current user keys (logged on users) of native registry

Associated Action:

dos eventcreate /l Application /t INFORMATION /so BigFix /id 666 /d “Registry Test Key Exists! RegValue={value “TEST” of key “Software\TEST” of current user keys (logged on users) of native registry}”

In the above example, instead of “Registry Test Key Exists” I’m wondering, wishing, hoping, I could write something like “Source={me}” or {this relevance} or {this} if I’m being clear. It would save me a lot of work as I write many of these tasks.

Thanks. If what I wrote is confusing, please ask me questions, and I’ll be happy to clarify.

This could get you started:

Relevance:

values of headers "X-Relevant-When" of fixlets whose (id of it = origin fixlet id of active action) of sites

Names:

values of headers "Subject" of fixlets whose (id of it = origin fixlet id of active action) of sites

There is an interesting issue doing it this way that i’ve never been able to figure out. Because there are duplicate fixlet IDs in your console and we can’t return the source fixlet from an action, just an ID that can correspond to multiple fixlets for instance…

If the ID of the fixlet making the change was 130 it would match your fixlet and these:

Q: values of headers "Subject" of fixlets whose (id of it = 130) of sites as string
A: BES Quick Reference - Production
A: Removable Media: Disable Future Use of CD-ROM Drives
A: Sample Plan: Microsoft Windows 2008R2 to 2012R2 Cluster - OS patching
A: Repository Configuration - SUSE Linux Enterprise

So you may want to modify the relevance to use something like…

sites whose (name of it contains "Content")

Instead of just, “Sites” and change “Content” to be the name of the site that contains all of your fixlets that write event logs.

Hope that helps!

1 Like

I tried a few variations on what you said. Unfortunately I’m still confused. This would be a task, not a fixlet, for the record. I’m not hip enough with the lingo to know if that makes a difference in the relevance you provided.

I also tried some variations within QnA and I didn’t get what you got.

q: values of headers “Subject” of fixlets whose (id of it = origin fixlet id of active action) of sites
T: 0.000 ms

q: values of headers “Subject” of fixlets whose (id of it = origin fixlet id of active action) of sites whose (name of it contains “OSC”)
T: 0.000 ms

q: values of headers “Subject” of tasks whose (id of it = origin task id of active action) of sites whose (name of it contains “OSC”)
E: The operator “tasks” is not defined.

The “origin task id of active action” requires context – it pulls from an active action.

If you use it in a fixlet and take action it will work – it wont produce anything from fixlet debugger because there is no active action

1 Like

Okay.

I created a fixlet. Under actions, I did:

dos eventcreate /l Application /t INFORMATION /so BigFix /id 666 /d “TEST: {values of headers “Subject” of fixlets whose (id of it = origin fixlet id of active action) of sites whose (name of it contains “OSC”)}”

  • OSC is in the name of our main site, of which all computers are a member.

I then ran it using “Take Action”. The output in Event Viewer is:

"TEST: "

Did you target a single computer for the action? Try…
dos eventcreate /l Application /t INFORMATION /so BigFix /id 666 /d “TEST: {values of headers “Subject” of fixlets whose (id of it = origin fixlet id of active action) of sites whose (name of it contains “OSC” or name of it contains “mailbox”)}”

Edit: This doesn’t matter – the fixlet doesn’t exist in the mailbox site unless the fixlet is a part of a baseline.

1 Like

(Thanks for your help)

Yes, this is against a single computer. Also (for now) there is a relevance clause limiting it to the sole computer for testing. I didn’t think that mattered, but I’m just saying it here for completeness’ sake.

I edited the section to read:

TEST: {values of headers “Subject” of fixlets whose (id of it = origin fixlet id of active action) of sites whose (name of it contains “OSC” or name of it contains “mailbox”)}

In the Event Log, I still get "Test: "

I replied too quickly. It DOES write the event log as I wrote above. BigFix says the action failed.

I discovered that the fixlet is part of my “Master Action Site” so I added…

or name of it contains “Master”

…to it. Same results.

As a master operator your actions and fixlets exist in the Actionsite so you also need to add,

or name of it contains "actionsite"
1 Like

HEY! That did it! Now I get:

TEST: JOSH TESTING FIXLET

which is the name of the fixlet.

So how do I one-up you or give you +karma or whatever on this site? :smile:

1 Like

Press the little heart next to every post i’ve ever written ;).

Also – my explanation prior was wrong:

As a master operator your actions occur in the Actionsite so you also need to add, 

    or name of it contains "actionsite"

While it is true that actions from master operators occur in the master action site – that has nothing to do with the relevance we are writing.

What actually matters is that the fixlet was in the Master Action site… The issue is that the Master Action Site is actually just called actionsite, so instead of filtering for, “Master” we just needed to do it for, “actionsite”.

1 Like

[quote=“jonvalt, post:11, topic:14796, full:true”]
So how do I one-up you or give you +karma or whatever on this site?
[/quote] Use the Like button - the one shaped like a heart

Run this: https://bigfix.me/fixlet/details/6250

It will give you a dump of a bunch of info available and the relevance substitution required to get it.