Creating a web report that spits out all actions with computer names

JasonWalker · October 22, 2024, 6:15pm

Running queries directly against the database is usually bad in that some of the table/row locking can interfere with our ability to insert, modify, or delete rows at the same time. I’ve been involved in at least one instance that required a restore from backup when the database was corrupted, where we believe a set of SQL queries was the root cause.

That said, have you looked at the database directly? Even if locking weren’t an issue, I’m not sure the schema is something you’d be able to decipher or use effectively in Grafana. In many cases we are using rows where you might expect to see columns instead - I’m not sure how you’d make sense out of this without some heavy processing.

JasonWalker · October 22, 2024, 6:16pm

It’s not that you should be using BigFix Explorer for that kind of query, it just seems at first look like Explorer may not have this particular bug around %25 encoding.

Web Reports should be able to service the query perfectly fine, it just is not.

Skylente · October 22, 2024, 6:18pm

That makes sense, I forgot about locking.

I have looked at the database, and it definitely wasn’t easy to figure out where everything is (deciphering like you said)

Skylente · October 22, 2024, 6:43pm

Understood thank you. So it seems like Web Reports is the play here. I have Web Reports already ingesting other reports/data into Grafana and it is working well.

Skylente · October 24, 2024, 5:54pm

I managed to get a custom web report that shows Action ID, Action Name, Computer name, and Action Status (Not relevant, Fixed, etc.),

“ID”,“Action Name”,“Computer Name”,“Action Status”

<?relevance (html it) of concatenation "%0d%0a" of ( ( "%22" & id of action of it as string & "%22,%22" & name of action of it & "%22,%22" & name of computer of it & "%22,%22" & status of it as string & "%22" ) of results of member actions of bes actions ) ?>

I am now working on a different report to try to get Issued By and action state. Unfortunately the in-house reports don’t break up baselines, I really wish they would have an option by default…

Skylente · November 4, 2024, 1:49pm

I used this to get the issued by and action state.

<?relevance "ID,Issuer,Day,Time Issued,State" & "%0A" & concatenation "%0A" of ( (ID of it as String | "No ID") & "," & (name of issuer of it as string | "No Issuer") & "," & (time issued of it as string | "No Time Issued") & "," & (state of it as string | "No State") ) of bes actions ?>

I am all set for now