Hello,
I would like to know if it is possible to query my environment to return the hostname and current user when inputing a given IP Address?
You can do it with Web Reports
On Filter option - Add IP Address
On Columns - Show “User Name” and “Computer Name”
I understand, but I wanted to have these results through API, what I need is the following:
I have an IP Address, when I input it on the API I want it to bring me the hostname and the current user of that particular computer.
That’s gonna be precious for an automation we are planning.
You can use the /api/query resource and pass something like the following session relevance (where you replace the placeholder IP address of 1.2.3.4 with the inputted value):
(name of it, value of result from (bes property "User name" whose (default flag of it)) of it) of bes computers whose (ip address of it as string contains "1.2.3.4")
3 Likes
How can I test the functionality of this query? Through Web Reports? Also, to get the computer hostname is there any specific query? I get that using this, we’ll get the “User name”, I tried copy and paste this to web reports but it doesn’t show any results.
Or do I have to use the API itself in order to see if it worked?
Thank you.
You can test the session relevance a number of ways including at least the following:
- QNA Page in Web Reports: https://developer.bigfix.com/tools/qna_wr.html
- Console’s Presentation Debugger: https://developer.bigfix.com/tools/presentation_debugger.html
And to test via API, you can also use the IEM CLI: https://developer.bigfix.com/rest-api/iem_cli/
(note that this session relevance also returns the computer name, not just user)
3 Likes
I am getting an error when trying to query this command through cURL:
curl -k -v -u redacted:redacted "https://redactedappbigfix.redacted.com.br:52311/api/query?relevance=(name%20of%20it,%20value%20of%20result%20from%20(bes%20property%20"User%20name"%20whose%20(default%20flag%20of%20it))%20of%20it%20of%20bes%20computers%20whose%20(ip%20address%20of%20it%20as%20string%20contains%20%221.2.3.4%22%20)
Then I get the following result, and error:
* Trying 1.2.3.4:52311...
* Connected to redactedappbigfix.redacted.com.br (1.2.3.4) port 52311 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
* Server auth using Basic with user 'redacted'
> GET /api/query?relevance=(name%20of%20it,%20value%20of%20result%20from%20(bes%20property%20User%20name%20whose%20(default%20flag%20of%20it))%20of%20it%20of%20bes%20computers%20whose%20(ip%20address%20of%20it%20as%20string%20contains%20%221.2.3.4%22%20) HTTP/1.1
> Host: redactedappbigfix.redacted.com.br:52311
> Authorization: Basic redacted
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/xml
< SessionToken: R3D4CT3D==
< Set-Cookie: SessionToken="TOKENWASREDACTED==";Path=/api;Secure;HttpOnly;Max-Age=300;Expires=Mon, 30 Oct 2023 14:04:30 +0000;
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
<Query Resource="(name of it, value of result from (bes property User name whose (default flag of it)) of it of bes computers whose (ip address of it as string contains "1.2.3.4" )">
<Result></Result>
<Error>This expression could not be parsed.</Error>
</Query>
</BESAPI>
* Connection #0 to host redactedappbigfix.redacted.com.br left intact
Using the path " "https://redactedappbigfix.redacted.com.br:52311/api/computers " , we have some Computers ID:
I can link a computer via hostname using “
“https://redactedappbigfix.redacted.com.br:52311/api/query?relevance=(id%20of%20it)%20of%20bes%20computers%20whose%20(%20name%20of%20it%20as%20string%20contains%20%22” + x +”%22%20)"
How do I link a computer through IP Address?
I am successfully getting good results through web reports, but some of them just says that the "singular expression refers to non-unique object.
EDIT:
Also, when the computer has more than one IP Address, it does not return me anything through web reports, only when it’s just one.
Thank you.
For easier testing when using curl, I’d use the method I describe at Bes Properties that are not set or unkown causing relevance query issue to store the relevance query in an external file.
In an external file, we don’t have to do the URL-encoding, we can have curl do that for us. We also can have line breaks in the query to make it much more readable.
The query itself could have some more error handling in it. In my case I’ll create a file ‘query.txt’ with the following content:
(
id of it,
name of it | "<hostname not reported>"
, concatenation ";" of (ip addresses of it as string)
, value of result from (bes property "User name" whose (default flag of it)) of it | "<none>"
) of bes computers whose
(
exists (ip addresses of it) whose (it as string contains "192.168.")
)
This handles computers that have no one logged on at the moment, and computers with multiple IP addresses. For debugging I also return the IP addresses of the computer, feel free to remove that property if you don’t want it.
To send the query, from the directory in which query.txt is present, I execute
curl --insecure --user username:password --data-urlencode "output=json" -X POST "https://bes-root.local:52311/api/query" --data-urlencode "relevance@query.txt"
Because I include the “output=json” header in the command line, the results are in JSON format. You can leave that out if you prefer dealing with the XML output format. When I run this one, my query returns results in this format (some snipped for readability):
{"result":[[9024435,"rhel8-sv1.domain.home","192.168.1.82;192.168.122.1","<none>"],[10545704,"WEBUI","192.168.1.99","Administrator"],[11635830,"OSD","192.168.1.152","<none>"],[539193122,"BES-ROOT","192.168.1.151","Administrator"]],"plural":true,"type":"( string, string, string )","evaltime_ms":1}
edit: modified the query to also return the BES Computer ID, and to trap cases where the BES Computer name has not been reported (a case can occur where a computer is queried before its hostname has been reported to the server)
4 Likes
Thank you for the clarification, it’s working quite well and we got it working through API, although now I get a problem when I have to query machines who have more than one user name, the error being: E: Singular expression refers to non-unique object.
I tried making a small change to query for “User Names” and I don’t get the error, but instead I get the user as .
Here’s an example:
How do I show multiple users as well, any thoughts?
Extending on Jason’s suggested session relevance, here’s a sample that will work with multiple users (separated by ;):
(
id of it,
concatenation ";" of names of it | "<hostname not reported>"
, concatenation ";" of (ip addresses of it as string)
, concatenation ";" of values of results from (bes property "User name" whose (default flag of it)) of it | "<none>"
) of bes computers whose
(
exists (ip addresses of it) whose (it as string contains "1.2.3.4")
)
4 Likes
@Aram and @JasonWalker. We were able to make the script work through IBM Guardium using the relevance you guys created. We changed a few things such as "...exists (ip addresses of it) whose (it as string contains "1.2.3.4")" to “equals” in order to get more precising results and avoid getting too many IP addresses specially when we had IPs with the last octet ending with one number.
We also took @Aram’s addition to handle multiple users.
Thank you very much for the help! 
3 Likes