Session Relevance for specific product type

D.Dean · February 5, 2024, 9:26pm

I have done a lot of research on this. I am not great at Session Relevance but I found most of what I needed.

I need to know how to limit the “bes computers” to just domain controllers.

product type of operating system = nt domain controller product type

(
name of item 0 of it | "missing name"
, (concatenation ";" of values of results (item 0 of it, elements of item 1 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 2 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 3 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 4 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 5 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 6 of it))
) of (
elements of item 0 of it
,item 1 of it
,item 2 of it
,item 3 of it
,item 4 of it
,item 5 of it
,item 6 of it
) of (
set of BES computers
, set of  bes properties whose (name of it as lowercase = ("Customer-Name") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("EMSEID") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("OS Platform") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Last Report Time") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("All IPs") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Another Property") as lowercase)
)

Example of what I am getting now…

computer1, Customer Across the street, 16354, Windows 10, ( Mon, 05 Feb 2024 20:21:35 +0000 ), 192.168.109.108

I would really prefer the computer name is the 3rd item, after the EMDEID.
Is there a way to get the Last Report time to show as date and time and not "Mon, 05 Feb 2024 20:21:35 +0000 "

Edited:

Also, if I use the IP property and not our custom “All IPs” property, is there a way for the system to be listed again, with any subsequent IPs.

For example…
computer1, Customer Across the street, 16354, Windows 10, ( Mon, 05 Feb 2024 20:21:35 +0000 ), 192.168.109.108
computer1, Customer Across the street, 16354, Windows 10, ( Mon, 05 Feb 2024 20:21:35 +0000 ), 192.168.109.109
computer1, Customer Across the street, 16354, Windows 10, ( Mon, 05 Feb 2024 20:21:35 +0000 ), 192.168.109.110

To be honest, the “Another Property” example above will likely have multiple results on a dozen systems or more.

I truly appreciate all of your help

JasonWalker · February 5, 2024, 10:12pm

The first issue (filtering to only domain controllers) is that we can’t mix client relevance with session relevance. The ‘product type of operating system’ is client relevance; instead, what we need is for the computer to report a property result based on that client relevance, and then use that in filtering.

In my deployment, I created a new Global Property named ‘Windows Product Type’ with this relevance:

if (exists property "product type" of type "operating system") then ((if it = nt workstation product type then "Workstation" else if it = nt server product type then "Server" else if it = nt domain controller product type then "Domain Controller" else "Unknown") of product type of operating system) else "Non-Windows"

Then in the Session Relevance query where you define your ‘set of bes computers’, you can filter those computers based on the results of this property:

set of BES computers

becomes

set of computers of results whose (value of it = "Domain Controller") of bes properties whose (name of it = "Windows Product Type" and not analysis flag of it)

JasonWalker · February 5, 2024, 10:19pm

For the second issue, changing the column order…for that you just change the order in your final property selection (i.e. the first thing that appears in the query)…

(
name of item 0 of it | "missing name"
, (concatenation ";" of values of results (item 0 of it, elements of item 1 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 2 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 3 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 4 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 5 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 6 of it))
)

becomes

(

(concatenation ";" of values of results (item 0 of it, elements of item 1 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 2 of it))
, name of item 0 of it | "missing name"
, (concatenation ";" of values of results (item 0 of it, elements of item 3 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 4 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 5 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 6 of it))
)

JasonWalker · February 5, 2024, 10:21pm

For the third issue, putting multiple IP addresses for a computer in a single result row…I think the query does that already?

At this part -

(concatenation ";" of values of results (item 0 of it, elements of item 5 of it))
If a computer has multiple IP addresses, those should get collapsed together so you show something like

computer1, Customer Across the street, 16354, Windows 10, ( Mon, 05 Feb 2024 20:21:35 +0000 ), 192.168.109.108;192.168.109.109;192.168.109.110

D.Dean · February 5, 2024, 10:23pm

I will look into this.

I am building a custom report, as an html table. I wanted to make sure it reports correctly.

JasonWalker · February 5, 2024, 10:31pm

For the final thing, formatting the date/time, I think the tip at Tip - 'format' and time/date may be helpful.

(It may help in coding examples to know you’re searching for RFC-2282 time format, which was established in 2001 for the time format of email messages https://www.ietf.org/rfc/rfc2822.txt )

The post I have linked above has a few examples of different formats, but what I think you might be asking for is

q: (format "{0}-{1}-{2} {3}:{4}:{5}" + year of item 1 of it as string + month of item 1 of it as two digits as string + day_of_month of item 1 of it as two digits as string + two digit hour of  item 0 of it + two digit minute of item 0 of it + two digit second of item 0 of it) of (time (universal time zone) of it, date (universal time zone) of it) of time ("Mon, 05 Feb 2024 20:21:35 +0000")
A: 2024-02-05 20:21:35

To retrieve that from the ‘last report time’ property, we have to cast the result as time, run this ‘format’ against the time, and then convert it back to a string to build the concatenation. For that one field you’d change it to

(concatenation ";" of (it as string) of (format "{0}-{1}-{2} {3}:{4}:{5}" + year of item 1 of it as string + month of item 1 of it as two digits as string + day_of_month of item 1 of it as two digits as string + two digit hour of item 0 of it + two digit minute of item 0 of it + two digit second of item 0 of it) of (time (universal time zone) of it, date (universal time zone) of it) of (it as time) of values of results (item 0 of it, elements of item 4 of it))

JasonWalker · February 5, 2024, 10:33pm

Putting those all together I think a “final” query would be

(
 (concatenation ";" of values of results (item 0 of it, elements of item 1 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 2 of it))
, name of item 0 of it | "missing name"
, (concatenation ";" of values of results (item 0 of it, elements of item 3 of it))
, (concatenation ";" of (it as string) of (format "{0}-{1}-{2}, {3}:{4}:{5}" + year of item 1 of it as string + month of item 1 of it as two digits as string + day_of_month of item 1 of it as two digits as string + two digit hour of  item 0 of it + two digit minute of item 0 of it + two digit second of item 0 of it) of (time (universal time zone) of it, date (universal time zone) of it) of (it as time) of values of results (item 0 of it, elements of item 4 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 5 of it))
, (concatenation ";" of values of results (item 0 of it, elements of item 6 of it))
) of (
elements of item 0 of it
,item 1 of it
,item 2 of it
,item 3 of it
,item 4 of it
,item 5 of it
,item 6 of it
) of (
set of BES computers
, set of  bes properties whose (name of it as lowercase = ("Customer-Name") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("EMSEID") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("OS Platform") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Last Report Time") as lowercase)
, set of  bes properties whose (reserved flag of it and name of it as lowercase = ("IP Address") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Another Property") as lowercase)
)

Since I only have a few of those properties defined in my environment, I see my results as

, , rhel8-sv1.domain.home, , ( 2024-02-05, 22:24:28 ), 192.168.1.82;192.168.122.1, 
, , WEBUI, , ( 2024-02-05, 22:28:01 ), 192.168.1.99, 
, , OSD, , ( 2024-02-05, 22:28:07 ), 192.168.1.152,

D.Dean · February 5, 2024, 10:35pm

@JasonWalker How can I ever repay you?

JasonWalker · February 5, 2024, 10:45pm

Edit: Added the ‘Domain Controller’ filter back in…
One last thing, if you’re doing the formatting in your own tooling that’s fine, but if you want this in a custom Web Report you can build the HTML table formatting with something like

table "border=all" of (
   (th of tr of concatenation of tds of ("col1";"col2";"col3";"col4";"col5";"col6";"col7")) 
 
   & concatenation of trs of (
            concatenation of tds of (
                 item 0 of it
                 ; item 1 of it
                 ; item 2 of it
                 ; item 3 of it
                 ; item 4 of it
                 ; item 5 of it 
                 ; item 6 of it)
    )
of
(
  concatenation ";" of values of results (item 0 of it, elements of item 1 of it)
, concatenation ";" of values of results (item 0 of it, elements of item 2 of it)
, name of item 0 of it | "missing name" 
, concatenation ";" of values of results (item 0 of it, elements of item 3 of it)
, concatenation ";" of (it as string) of (format "{0}-{1}-{2} {3}:{4}:{5}" + year of item 1 of it as string + month of item 1 of it as two digits as string + day_of_month of item 1 of it as two digits as string + two digit hour of  item 0 of it + two digit minute of item 0 of it + two digit second of item 0 of it) of (time (universal time zone) of it, date (universal time zone) of it) of (it as time) of values of results (item 0 of it, elements of item 4 of it)
, concatenation ";" of values of results (item 0 of it, elements of item 5 of it)
, concatenation ";" of values of results (item 0 of it, elements of item 6 of it)
) of (
elements of item 0 of it
,item 1 of it
,item 2 of it
,item 3 of it
,item 4 of it
,item 5 of it
,item 6 of it
) of (
set of computers of results whose (value of it = "Domain Controller") of bes properties whose (name of it = "Windows Product Type" and not analysis flag of it)
, set of  bes properties whose (name of it as lowercase = ("Customer-Name") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("EMSEID") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("OS Platform") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Last Report Time") as lowercase)
, set of  bes properties whose (reserved flag of it and name of it as lowercase = ("IP Address") as lowercase)
, set of  bes properties whose (name of it as lowercase = ("Another Property") as lowercase)
)
)

This will look something like

JasonWalker · February 5, 2024, 10:58pm

Actually I think I missed a consideration here.
I was only thinking about “computers that have more than one IP address”, but there’s another case to consider - 'there are multiple properties named “IP Address” ’

Where you retrieve this property

set of bes properties whose (name of it as lowercase = ("IP Address") as lowercase)
there could be multiple Analyses with properties named “IP Address”. Or you might even have custom Global Properties duplicated with a name like that.

When I built my final query, out of habit I included a property flag and didn’t explain it.

I changed the IP address lookup to

set of bes properties whose (reserved flag of it and name of it as lowercase = ("IP Address") as lowercase)

By using the ‘reserved flag of it’, I included only the BES properties with a ‘reserved flag’ of True.
A BES Property has several flags; each flag has a value of True or False:

properties whose (it as string contains "flag") of type "bes property"

reserved flag of <bes property>: boolean
custom flag of <bes property>: boolean
default flag of <bes property>: boolean
analysis flag of <bes property>: boolean
keep statistics flag of <bes property>: boolean

Our built-in properties will be true for reserved flag of it or default flag of it.
A custom Global Property will be true for custom flag of it and not analysis flag of it
A property from an analysis from one of our external sites would be true for not custom flag of it and analysis flag of it
…etc.

These can be helpful when there are multiple properties with the same name but different uses, especially if you only want Global or default properties.

If the properties came from an Analysis though, and you had multiple custom analysis properties with the same name, you can get more specific filters like

bes properties whose (name of it = "Property1" and custom flag of it and name of source analysis of it = "My Analysis" and name of site of source analysis of it = "My Custom Site")

D.Dean · February 5, 2024, 11:00pm

This is great info to know. Thanks

D.Dean · February 7, 2024, 5:42pm

Yes, I was working on creating a custom report. You did the work for me, with a couple of tweaks.