Custom Reports

system · December 6, 2006, 12:20am

(imported topic written by JasonO91)

I’m not sure the difference between the following two pieces of relevance. I’m only interested in the Computer Name, Fixlet Name, Source, Source ID, Source Severity, and Category. When I remove the header and corresponding relevance for User Name or Last Report, I get the following error message:

This expression contained a character which is not allowed.

In another related problem with this Custom Report, when I attempt to add CVE ID, SANS ID, and Source Release date, errors are given because not all of the Fixlets have this information.

<?relevance trs of (td of (id of item 1 of it as string) & td of name of item 1 of it & td of concatenation ", " of values of results (bes property "IP Address", item 1 of it) & td of value of result (bes property "User Name", item 1 of it) & td of value of result (bes property "Last Report Time", item 1 of it) & td of (ID of item 0 of it as string) & td of name of item 0 of it & td of source of item 0 of it & td of source id of item 0 of it & td of source severity of item 0 of it & td of category of item 0 of it ) of (relevant fixlets whose (source severity of it as lowercase = "critical" OR source severity of it as lowercase = "important") of it, it) of bes computers whose (exists result (bes property "ip address", it) ) ?>

Computer ID

Computer Name

IPs

User Name

Last Report Time

Fixlet ID

Fixlet Name

Source

Source ID

Source Severity

Category

Thanks for your time,

Jason

system · December 6, 2006, 2:21am

(imported comment written by JasonO91)

I think I finally understand most of what’s going on here, but I just can’t get the last part of it right. Everything works except for the Source Release Date.

<?relevance trs of (td of name of item 1 of it & td of name of item 0 of it & td of source of item 0 of it & td of source id of item 0 of it & td of source severity of item 0 of it & td of source release date of item 0 of it & td of category of item 0 of it ) of (relevant fixlets whose (source severity of it as lowercase = "critical" OR source severity of it as lowercase = "important") of it, it) of bes computers whose (exists result (bes property "computer name", it) ) ?>

Computer Name

Fixlet Name

Source

Source ID

Source Severity

Source Release Date

Category

I get the following error:

The operator “td” is not defined.

If I pull out source release date, and the corresponding header, everything works.

Jason

BenKus · December 6, 2006, 7:06am

(imported comment written by BenKus)

Hey Jason,

This is very good!

The issue is that “td” requires a string or HTML argument. Try changing the one line to:

td of (source release date of item 0 of it as string) &

Ben

system · December 6, 2006, 6:28pm

(imported comment written by JasonO91)

When I change the query, I get the following error:

Singular expression refers to nonexistent object.

No matter how I change the query to test for blank or error messages, I either get that message or the query can’t be parsed.

Unfortunately I don’t have a good way to test the relevance because I can’t find a query the relevance debugger can evaluate.

If you guys could shed some light on how you guys troubleshoot the relevance, would be greatly apprecitated.

Jason

system · December 6, 2006, 11:43pm

(imported comment written by jessewk)

Jason,

You can not evaluate these in the relevance debugger because it does not have access to the console memory, which is where all the data is stored.

You have 2 options to evaluate queries that use session inspectors:

Web Reports QNA: http://your.webreports.server/cgi-bin/besreports/besreports.exe?page=QNA
Console Presentation debugger: In the console, press cntrl-alt-shift-D and check the box in the window that comes up to ‘show debug menu’. From the debug menu you can select the presentation debugger and use that to evaluate your queries.

To fix your report you’ll probably need to add some error checking. Instead of:

… of (relevant fixlets whose (source severity of it as lowercase = “critical” OR source severity of it as lowercase = “important”) of it, it)

Try:

of (relevant fixlets whose (exists source severity of it AND (source severity of it as lowercase = “critical” OR source severity of it as lowercase = “important”)) of it, it)

And instead of:

trs of (td of name of item 1 of it &

td of name of item 0 of it &

td of source of item 0 of it &

td of source id of item 0 of it &

td of source severity of item 0 of it &

td of source release date of item 0 of it &

td of category of item 0 of it

)

Try:

trs of (td of (if exists name of item 1 of it then name of item 1 of it else “no name”) of it &

td of (if exists name of item 0 of it then name of item 0 of it else “no name”) of it &

td of (if exists source of item 0 of it then source of item 0 of it else “no source”) of it &

td of (if exists source id of item 0 of it then source id of item 0 of it else “no source id”) of it &

td of (if exists source severity of item 0 of it then source severity of item 0 of it else “no source severity”) of it &

td of (if exists source release date of item 0 of it then source release date of item 0 of it else “no source release date”) of it &

td of (if exists category of item 0 of it then category of item 0 of it else “no category”) of it

)

system · December 7, 2006, 12:31am

(imported comment written by JasonO91)

Jesse,

Thanks for the syntax to check if the field exists, however when I use the following code, I still get an error:

<?relevance trs of (td of (if exists name of item 1 of it then name of item 1 of it else "no name") of it & td of (if exists name of item 0 of it then name of item 0 of it else "no name") of it & td of (if exists source of item 0 of it then source of item 0 of it else "no source") of it & td of (if exists source id of item 0 of it then source id of item 0 of it else "no source id") of it & td of (if exists source severity of item 0 of it then source severity of item 0 of it else "no source severity") of it & td of (if exists (source release date of item 0 of it as string) then (source release date of item 0 of it as string) else "no source release date") of it & td of (if exists category of item 0 of it then category of item 0 of it else "no category") of it ) of (relevant fixlets whose (exists source severity of it AND (source severity of it as lowercase = "critical" OR source severity of it as lowercase = "important")) of it, it) of bes computers whose (exists result (bes property "computer name", it)) ?>

Computer Name

Fixlet Name

Source

Source ID

Source Severity

Source Release Date

Category

Returns:

Singular expression refers to nonexistent object.

It’s definitely the source release date that’s causing the problem.

Thanks,

Jason

system · December 7, 2006, 12:52am

(imported comment written by jessewk)

maybe try it without the cast to string in the existence check:

td of (if exists source release date of item 0 of it then source release date of item 0 of it as string else “no source release date”) of it

system · December 7, 2006, 1:15am

(imported comment written by JasonO91)

I can’t seem to get the relevance right for it to return properly. The customer has given me the ok to not include this in the report. So it looks like it’s going to go out the door without it.

Thanks for all the help. The Presentation debugger is rather helpful!

Jason

system · December 7, 2006, 1:29am

(imported comment written by jessewk)

Jason, this works on my deployment:

<?relevance trs of (td of (if exists name of item 1 of it then name of item 1 of it else "no name") of it & td of (if exists name of item 0 of it then name of item 0 of it else "no name") of it & td of (if exists source of item 0 of it then source of item 0 of it else "no source") of it & td of (if exists source id of item 0 of it then source id of item 0 of it else "no source id") of it & td of (if exists source severity of item 0 of it then source severity of item 0 of it else "no source severity") of it & td of (if exists source release date of item 0 of it then source release date of item 0 of it as string else "no source release date") of it & td of (if exists category of item 0 of it then category of item 0 of it else "no category") of it ) of (relevant fixlets whose (exists source severity of it AND (source severity of it as lowercase = "critical" OR source severity of it as lowercase = "important")) of it, it) of bes computers whose (exists result (bes property "computer name", it)) ?>

Computer Name

Fixlet Name

Source

Source ID

Source Severity

Source Release Date

Category

system · December 7, 2006, 7:40pm

(imported comment written by JasonO91)

Jesse,

Your code works, and I think I’ve found why I’ve been so frustrated.

When I copy/paste your code into the custom report field, and run it, it works properly.

If I then edit the custom report, let’s say I change the string “no source release date” to “None”, save and run. The query returns the following error:

This expression contained a character which is not allowed.

If I take that same code (modified string), copy and paste it back into the window, save and run, it works properly.

So I would change the code to add an if then else statement and it would return the error, and I thought that my syntax was incorrect.

Can you test to see if this is an issue for you as well?

Jason

BenKus · December 8, 2006, 5:56am

(imported comment written by BenKus)

Hey JasonO,

There was an early version of BES 6.0 (6.0.3.4 I believe) that would convert “<”<" when you hit “edit”. If you upgrade your BES Server to the latest BES 6.0 version (6.0.15.7 right now) then that issue should go away. There are lots of other good reasons to upgrade too.

Ben