We’re trying to write up a relevance that will provide information on a specific computer and actions it has taken in the past 7 days. Looking for start and end time of the action.
The relevance works before the “AND”, but craps out when we try to narrow it down to last 7 days. Any help is appreciated to get this to work.
(Name of it, id of it, start dates of actions of action results of it,names of actions of action results of it,detailed statuses of action results of it, start times of action results of it,end times of action results of it) of it whose ((Name of it as uppercase contains “TEST123”) AND (End Date of actions of action results of it < (current date - 7*day))) of bes computers
I do not think that query, even without the ‘date’ filter, is doing what you might want it to do. You can see my post from yesterday at Limit System event log - #2 by JasonWalker that describes how tuples work - but basically, you’re matching every action’s start time against every action’s status and every action’s end times - these aren’t ‘properties from one action’ that you’re pulling, but ‘every instance from every action result’.
What I think you’d need to do is to filter first the computer, then the actions, then loop through the action results, then pull the properties you want from the action results.
I’m not completely sure of everything you’re trying to pull, but I think this template may help you to get a start …
Q: (Name of computer of it, id of computer of it, start date of action of it | date (local time zone) of time issued of action of it,names of actions of it,detailed statuses of it, start times of it, end times of it) of action results whose (now - end time of it < 7 * day) of bes computers whose (name of it = "ENDPOINT-1")
Note that not all Actions have a “start date”, and I don’t think we want to filter out the actions that were issued with ‘start immediately’. I use the pipe operator ’ | ’ to trap the error if “start date of action” does not exist and replace it with “date (local time zone) of time issued of action”.