Relevance query assistance

jturnervbs · March 12, 2015, 4:17pm

I’m trying to get a string of property values for each computer and need to use a relevance query. I ran into a problem although. There’s a property name that is not unique and I’m picking up data for
the first instance, when what I need is the other instance of that property name.

Some folks have suggested using the property id and/or source analysis, but …

Try as I may, I can’t seem to figure out how get property id or source analysis of "Symantec Endpoint Protection Client Version"
into my query so that it ties in with the other specific property values I’m returning for each computer.
I want to have one line of fields and values for each computer.

Here’s a snippet of the relevance statement I’m trying to construct. I just can’t figure out how to weave in the Property ID or Source Analysis in place of the literal property name “Symantec Endpoint Protection Client Version”.

 (
    "Workstation_Name=%22" & value of result 
    (
      it, bes property "DNS Name"
    )
    & "%22 || SEP Version=%22" & concatenation "~" of values of results 
    (
      it, bes property "Symantec Endpoint Protection Client Version"
    )
    & "%22"
  )
  of bes computers

Duplicate Property Name:
Symantec Endpoint Protection Client Version

Property ID that I need:
(75, 207, 1)

Source Analysis:
Symantec Endpoint Protection - Client Information - Windows

Thank you

jgstew · March 12, 2015, 4:44pm

Try this:

(
"Workstation_Name=%22" & value of result 
(
it, bes property "DNS Name"
)
& "%22 || SEP Version=%22" & concatenation "~" of values of results 
(
it, bes properties "Symantec Endpoint Protection Client Version"
)
& "%22"
)
of bes computers

jturnervbs · March 12, 2015, 5:51pm

No change. Same result. Only returning the values of the 1st duplicate named property.

jgstew · March 12, 2015, 5:58pm

There is a way to pull a specific property using 3 integers or using a whose statement. I don’t know it off hand, I’ll have to look it up.

jgstew · March 12, 2015, 6:38pm

Properties of the analysis:

names of properties of custom bes fixlets whose(name of it = "Symantec Endpoint Protection - Client Information - Windows")

The specific property:

property whose(name of it = "Symantec Endpoint Protection Client Version") of custom bes fixlets whose(name of it = "Symantec Endpoint Protection - Client Information - Windows")

Also, you should check the analyses already on BigFix.me for Symantec and see if they have anything additional:

(it is out of date and I need to update it: )
http://bigfix.me/analysis/details/2994621

jturnervbs · March 13, 2015, 11:57am

Unfortunately, I don’t think either of these will work within my query to retrieve various property values for each computer. Any luck finding info on how to get a specific property value using 3 integers?

jturnervbs · March 13, 2015, 1:18pm

After MUCH trial and error I got it…

(
“Workstation_Name=%22” & value of result
(
it, bes property “DNS Name”
)
& “%22 || SEP Version=%22” & concatenation “~” of values of
(
results
(
bes properties
whose
(
name of it = “Symantec Endpoint Protection Client Version”
)
, it
)
)
& “%22”
)
of bes computers

Hopefully this will help others facing the same issue of evaluating properties that have the same name…

jgstew · March 14, 2015, 11:39pm

Thanks for posting the working code. Session Relevance is extra tricky and I have come up against this myself a few times.

I think the integer thing I was thinking of was the following:

bes property whose( id of it = (###,###,###) )

See here: https://support.bigfix.com/inspectors/Session%20Objects_Any.html

I prefer to use the name instead of the ID when possible since the ID will change between root servers and is not as human readable.