Impact of Creating many Automatic groups

Akshay19 · April 5, 2021, 7:52pm

HI,
As per customer request we have to create 150 automatic groups in bigfix console, where my number of endpoints in bigfix is 5000. Will creating so many automatic groups impact my root server performance? Is there any recommended number of automatic groups that we can create in bigfix ?

Aram · April 5, 2021, 8:33pm

What is the purpose of the groups, or how will they be used? What logic would be used to define the groups?

One potential alternative is to have a single property that returns 150 different values…effectively allowing you to filter and/or target different groups of devices with a single ‘content’ item.

Akshay19 · April 26, 2021, 9:37am

Hi Aram,
Actually customer have security groups in AD and each security group is mapped with different downtime window to patch them, so the ask is we have to add all these groups in bigfix also and from there we can schedule patches on them. So for this we have this KB from hclsupport by which we can create the automatic groups in bigfix and the respective computers are made visible into it.
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080594&sys_kb_id=01f655851b315c94a67e9759bc4bcba7

But for us these 150 and more automatic groups creation is not a feasible solution and it will also create extra load on our bigfix server., how can we go with this request.
If we create a single property then it will not help us with the reporting because we are using patch compliance report (by lee) and there we have to add groups names not property.

vk.khurava · April 26, 2021, 7:56pm

I would go for client settings as computer group and value will be your ad security groups, its very hard if you have to do it manually however it will one time effort for future you should be pushing these during their os build stage or within client config file.

However its also not that hard pretty simple -

Create one csv file by putting all 5000 servers and their corresponding 150 groups in two columns.
Create simple task to create client setting for computer group.
Export above task as master xml.
Ps script to copy server and group name from csv file and feed in your xml one by one based on their group.
150 xml files will be generated based on client setting task as an action.
Post them using iem cli within 1 min you will have 150 actions in console to complete your task.

Akshay19 · April 27, 2021, 12:20pm

Hi Vijay,
Yes your solution will help us in creating these groups quickly, but for us the challenge is when these automatic groups is live in infra how much amount of load it will create on our bigfix root server. Surely these many automatic groups create load on infra, do we have a work around?

vk.khurava · April 27, 2021, 12:33pm

My solution is talking about Client Setting named as Computer Group or AD Security Group etc. you just need to pass whatever group name you have under this client setting, this will not impact in any way. Since this is a client setting you can control its evaluation behavior lets say 1 to 6 hr or something depending how soon you want things to be updated in console.

In our case this type of group is created on 200K machines & evaluation is 15 min., we are using them for Operator access, any automation, dynamic targeting etc.

Once this client setting created you can use in any way.

Computers
** By Retrieved Property**
** By Computer group or AD Security Team**
—>Group A (100)
—>Group B (150)
—>Group C (300)… etc.

JasonWalker · April 27, 2021, 12:50pm

Unless your root server is already overtaxed or borderline, I don’t think 150 groups is that many.

A single property with 150 values would indeed be more efficient and easier to manage, but yes that would be a limitation in using the custom patch compliance report you reference.

You could certainly create your own custom reports in Web Reports, or if you have BigFix Compliance there are rich reporting capabilities there; but if the goal is to continue using Lee’s report with minimal disruption, 150 computer groups in the Console would not be unusual at all.

SLB · April 27, 2021, 8:22pm

Interesting options. I’m in agreement with @JasonWalker as 150 groups is comparable to adding 150 new fixlets or tasks when you think about it.

If underneath the hood, whatever approach is fundamentally creating and processing a relevance expression, I’d be thinking either the 150 automatic computer groups based on relevance or the 150 groups based on results from 1 property that contains 150 values as @Aram suggested is going to be less expressions than individual properties or client settings as well as computer group expressions? If I try to show that that as a table of how many relevance expression may need to be processed, assuming my thought process isn’t way off the mark.