(imported topic written by NinjaChicken91)
I have created a custom property “UnapprovedUSBDevices”
This report is the total number of events recorded in an event log matching a certain error code and source.
The custom property shows up in my analysis, but when I try to run a report I get an error
Eg.
(name of item 0 of it & value of result (item 0 of it, item 1 of it)) of (bes computers,bes property “OS”)
That works fine
but when I run it with the same code but replace “OS” with “UnapprovedUSBDevices” it fails
(imported comment written by jessewk)
My guess is that there are some machines that don’t have a result for your property.
Does this work?
(name of computer of it, concatenation “;” of values of it) of results (bes property “UnapprovedUSBDevices”,bes computers) whose (exists value of it)
(imported comment written by NinjaChicken91)
Same response from the debugger
Error: Singular expression refers to nonexistent object.
The relevance for the property is this
if(exist file “BFCLog.evt” of folder “config” of System Folder) then( number of records whose (event id of it=99 AND source of it=“USBDriveCheck”) of event log “BFCLog” ) else( 0 )
So it should return the number of incidents matching those log specifications or 0 if the log doesnt exist. So for any computer which doesnt have the log it should return 0 or the number of incidents found.
If I do an analysis of that property, it works, but trying to generate the report is where I’m getting that error.
Cant find anything in the knowledge base that would have me pull a custom property different from an already defind property. And unfortunately there’s no existing property I could pull from to get the information.
(imported comment written by jessewk)
Can you try these queries and post the output?
exists bes property “UnapprovedUSBDevices”
exists results (bes property “UnapprovedUSBDevices”, bes computers)
number of computers of results (bes property “UnapprovedUSBDevices”, bes computers)
number of values of results (bes property “UnapprovedUSBDevices”, bes computers)
(imported comment written by NinjaChicken91)
Sweet That solved it.
And i was able to get the report too
(name of computers of it, value of it) of results (bes property “UnapprovedUSBDevices”, bes computers)
Can you try these queries and post the output?
exists bes property “UnapprovedUSBDevices”
True
exists results (bes property “UnapprovedUSBDevices”, bes computers)
True
number of computers of results (bes property “UnapprovedUSBDevices”, bes computers)
22
number of values of results (bes property “UnapprovedUSBDevices”, bes computers)
22