Show first n rows of relevance results

marco · May 28, 2021, 1:09pm

Hi,
I am trying to do something that should be simple but I can’t seem to accomplish. Basically I have this relevance:

( (day_of_month of it as two digits & “/” & month of it as two digits & “/” & year of it as string) of date (local time zone) of time value of properties “TimeGenerated” of it, string value of properties “ProductName” of it) of (select objects “* from Win32_ReliabilityRecords WHERE SourceName=‘Microsoft-Windows-WindowsUpdateClient’” of wmis)

which returns the date and the name of all Windows updates that were installed. I would like to get only the first N rows in the relevance results, or, at least, just the first. How can I do this simple task? Thanks

brolly33 · May 28, 2021, 1:30pm

First X row is a little tricky in relevance language, because we cannot insure that the order of your rows will not change. That said, there are techniques that can help.

This post uses the technique, but is pretty long and might take some careful reading to get it right.

brolly33 · May 28, 2021, 1:40pm

q: tuple string items (1;2;3) of concatenation ", " of (item 0 of it & "|" & item 1 of it) of (((day_of_month of it as two digits & "/" & month of it as two digits & "/" & year of it as string) of date (local time zone) of time value of properties "TimeGenerated" of it) , string value of properties "ProductName" of it) of (select objects "* from Win32_ReliabilityRecords WHERE SourceName='Microsoft-Windows-WindowsUpdateClient'" of wmis)
A: 28/05/2021|xxxxxxxxxx-MICROSOFT.WINDOWSMAPS
A: 28/05/2021|xxxxxxxxx-MICROSOFT.GETSTARTED
A: 28/05/2021|xxxxxxxxx-Microsoft.MicrosoftSolitaireCollection

Please don’t ask about Solitaire. It came with the system

marco · May 28, 2021, 1:41pm

It really seems too complicated to implement. May I ask it why? I mean, I wrote the same thing in Powershell using “| Select -First 1” as shown here:

Get-WmiObject -Class win32_reliabilityRecords -filter “sourcename = ‘Microsoft-Windows-WindowsUpdateClient’” -ErrorAction SilentlyContinue | select @{LABEL = “date”;EXPRESSION = {$.ConvertToDateTime($.timegenerated)}},
@{LABEL = ‘Update’;EXPRESSION = {$_.productname}} | Select -First 1 | FT -AutoSize -Wrap

The problem is I can’t execute Powershell in the relevance language. I thought about writing an action that executes this code and writes the output to a txt file periodically, which I would read from a relevance but I don’t like this solution

marco · May 28, 2021, 1:45pm

Many thanks, I spent a lot of time to try to figure this out, do you think that in future a relevance could just show the output of a Powershell command? I think this would be really useful

brolly33 · May 28, 2021, 1:46pm

Relevance does not “execute”. This is by design, to help keep relevance language a safer “query only” type of language.

You can execute powershell scripts using Actions in BigFix, and pipe the results out into a file. Then use relevance to pick up the contents of the results file.

marco · May 28, 2021, 1:49pm

Understood, I did it what you suggested for other cases but I prefer to use a relevance for this one, because it’s a query which runs periodically. Thanks again