Joining Two or More Query Results in Relevance

system · October 28, 2010, 11:00pm

(imported topic written by ktakada91)

Hi,

I recently posted a question similar to this.

http://forum.bigfix.com/viewtopic.php?id=5871

Now I have a new and slightly different issue. I want to add the below two relevance codes together and get one report.

q:if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry) then if exists wmi AND exists selects “* from win32_Battery” of wmi then (if exists value “FriendlyName” of it then (it & " – " & (hostname) & " – Laptop – " & (name of logged on user)) of (value “FriendlyName” of it as string) else “”) of keys of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry else (if exists value “FriendlyName” of it then (it & " – " & (hostname) & " – Desktop – " & (name of logged on user)) of (value “FriendlyName” of it as string) else “”) of keys of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry else “None”

A:IronKey CD-ROM USB Device – TIAA-3CEECE5C37 – Laptop – takada

A:IronKey Secure Drive USB Device – TIAA-3CEECE5C37 – Laptop – takada

q: last write time of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry

A: Wed, 27 Oct 2010 15:33:22 -0400

How can I do this? Any advice would be appreciated. Thanks!

Noah · October 29, 2010, 12:08am

(imported comment written by NoahSalzman)

if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry) then if exists wmi AND exists selects “* from win32_Battery” of wmi then (if exists value “FriendlyName” of it then (it & " – " & (hostname) & " – Laptop – " & (name of logged on user)) of (value “FriendlyName” of it as string) & " – " & last write time of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry as string else “”) of keys of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry else (if exists value “FriendlyName” of it then (it & " – " & (hostname) & " – Desktop – " & (name of logged on user)) of (value “FriendlyName” of it as string) & " – " & last write time of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry as string else “”) of keys of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry else “None”

system · October 29, 2010, 4:58pm

(imported comment written by ktakada91)

Noah- Who are you? You have been a great help! Thank you so much for a quick reply. I did try that above, but I did not have “as string” for the last write time and it errored out. BTW, we are still running 7.2 and on this forum, there is incorrect information about the last write time property of . It read here and there that it became available in version 8.0. It is not documented in the Windows Inspector, but it works with version 7.2 as well.

system · October 29, 2010, 6:31pm

(imported comment written by ktakada91)

OK, maybe it is true that the last write time of is not supported in versions 7.x. It works fine in the debugger, but when I make it an analysis in the console and run a web report, it errors out.

Noah · October 29, 2010, 7:55pm

(imported comment written by NoahSalzman)

Yeah… I would guess that’s because the debugger was written during 8.x development and inherited the newer inspector library.

To answer your other question, I’m a Product Manager at BigFix (based in Emeryville) who just happens to enjoy answering questions on the Forum… sometimes I actually get the answers right, too. But when I don’t Ben is always quick to correct me.

system · October 31, 2010, 3:54am

(imported comment written by ktakada91)

Noah- Recently my presales engineer left BigFix and his manager is trying to get a replacement quickly. Since all of us at my company is new to BigFix and Relevance, I am struggling to get my syntax right. I read all the references available online and uses Windows and Session Inspectors often. I also went through the 202 training material myself. I do use canned fixlets as examples as well. How else can I become as good as you are? Meanwhile, I will keep asking questions on this forum. Thanks again. -Kotaro Takada

Noah · November 1, 2010, 8:19pm

(imported comment written by NoahSalzman)

Well, I wish there was a shortcut… but like learning any language or tool it just takes time. I simply put in a lot of hours working on simpler questions on the Forum before I got any good (it took a few months before I really comfortable).

I’ll put together a Forum post that describes the learning process and some tips I wish I had known at the start.

system · November 1, 2010, 9:52pm

(imported comment written by MattBoyd)

Ktakada, there’s a few things that helped me get into relevance. Below is some advice that I sent to someone a while ago about getting started:

The BigFix forum is actually a great place to get some practice writing relevance. If someone is having an issue writing a relevance query (or clause, as itâ€™s sometimes called), I try to figure out how to write it myself by doing some research and/or testing. As time goes on and you deal with many relevance clauses, youâ€™ll find some patterns in relevance that are useful for many different things and fairly reusable. It’s worth writing those down somewhere.

I think there are two main concepts that people have trouble grasping: The â€œitï¿½ + “whose” inspectors, and singular vs. plural results. Once you understand how these concepts, it becomes much easier to read and understand relevance.

I wouldnâ€™t stress over action script. Youâ€™ll probably find that itâ€™s very easy, and maybe a bit too simple for your needs. One thing Iâ€™ve discovered after reading older forum threads is that action script was never really intended to be a robust scripting language. Thereâ€™s no looping or try/catch blocks. For most operations, action script is fine. For very complex operations, youâ€™ll probably end up using batch files, VBScript, or Powershell.

I think you know this already, but the Fixlet and Relevance Debuggers are great tools to use for practice and testing. I use these on a daily basis, and I almost always run my relevance through the debugger before trying it in a task. It saves a lot of time.

When looking for answers, remember that thereâ€™s two ways to search the BigFix forum: http://forum.bigfix.com/search.php and http://support.bigfix.com/ . I usually try both, as they tend to return different results. Generally, http://support.bigfix.com/ returns better results more often, and includes KB articles as well. Thereâ€™s also the inspector search, which you can use to find relevance inspectors that will allow you to lookup system information: http://support.bigfix.com/inspectorsearch/inspector_search.html . I use this often, but I wish BigFix, Inc. included more examples in it. Also, remember that not all relevance inspectors will work on all Operating Systems. For example, the registry and WMI inspectors wonâ€™t work on a Mac.

A lot of people tend to get frustrated and give up quickly when it comes to learning relevance, because syntactically itâ€™s very different from SQL languages. Despite a few limitations and frustrations, such as sorting/ordering results, I find it very powerful for interrogating systems, and I havenâ€™t found something comparable. It goes way beyond the abilities of basic WMI queries and has much better performance.

I hope this helps!