(names of elements of applicable computer set of it, source release date of it) of bes fixlets whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2")
I’m really struggling with the concatenation of this - someone really needs to give me relevance training
This works really well but I end up with like 10 entries for endpoints when I want to see the data like:
computer1: 01/2025, 04/2025
I tried with
(name of elements of applicable computer set of it, concatenation "%2C" of (source release date of it as string)) of bes fixlets whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2")
and got this:
<?xml version="1.0" encoding="UTF-8"?>
<BESAPI xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BESAPI.xsd">
<Query Resource="(name of elements of applicable computer set of it, concatenation "," of (source release date of it as string)) of bes fixlets whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2")">
<Result>
<Tuple>
<Answer type="string">COMPUTER1</Answer>
<Answer type="string">Tue, 14 Jan 2020</Answer>
</Tuple>
</Result>
<Error>Singular expression refers to non-unique object.</Error>
</Query>
</BESAPI>
I would structure it the other way (if your desired result row is per computer, then start with query based on computers; your desired result row is per fixlet then query based on fixlets):
(name of it, concatenation "%2C" of (source release date of it as string) of elements whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2") of relevant fixlet set of it) of bes computers
and if you want to remove all computers that do not have such fixlets relevance put that as whose statement
(name of it, concatenation "%2C" of (source release date of it as string) of elements whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2") of relevant fixlet set of it) of bes computers whose (exists relevant fixlets whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2") of it)
Not sure if this would work or help for your use case John but one approach I implemented was for the endpoints to report back a property result for relevant fixlets for a matching criteria, in my case age was over a certain number of days from the release date. This could then be consumed via external reporting tools and dashboard as well as web reports and no need to run those process intensive session relevance queries via the API. My case was also cross platform so wit was processing Windows as well as a number of different Linux distros. The property was set with a moderate refresh interval so as not to create too much excessive loads on the endpoints and this worked very well. May not work as well if you need to pull up reports for differing rules though.
Based on your session relevance, something like this might present data similar to what you were looking at, but as a property.
concatenation ", " of ((month of it as two digits & "-" & year of it as string) of (values of headers "X-Fixlet-Source-Release-Date" of it as date)) of relevant fixlets whose (((it starts with "ms" and it does not contain "(superseded)") of (value of header "Subject" of it as string as lowercase)) and (value of header "X-Fixlet-Source-Severity" of it as lowercase = "critical")) of sites "bessecurity"
@FatScottishGuy, give this a try - it doesn’t look pretty at all and not very easy to decipher/follow/reserve-engineer/amend it but in my experience performance-wise is top-notch and is highly scalable (i’ve gotten it to retrieving 60-70 properties from all computers at a single go and still takes under a minute in an environment of 20k endpoints)…
(name of item 0 of it|"Missing Name", (if (size of item 1 of it >= 1) then (concatenation "%2C" of (source release date of it as string) of fixlets of results (item 0 of it, elements of item 1 of it) whose (relevant flag of it)) else ("N/A"))) of (elements of item 0 of it,item 1 of it) of (set of bes computers, set of bes fixlets whose (display name of site of it = "Patches for Windows" AND fixlet flag of it AND source severity of it = "Critical" AND applicable computer count of it > 0 AND exists source id whose (it as lowercase does not contain "unspecified") of it AND name of it starts with "MS2"))
URL-encode it before posting it to the API (some special characters do not automatically get replaced in ASCII). Try this for example (it’s the same query just URI-encoded):
