cancel
Showing results for 
Search instead for 
Did you mean: 
epository
Level 10
Report Inappropriate Content
Message 1 of 12

Last Update vs. Last Detected Time Query

All,

In trying to give my bosses the most accurate information, I try to filter my results on how many machines have the agent down to what has checked -in/been detected in the last 2 weeks.

I created a custom query on Managed Systems and sorted by Agent Versions:

With no filter applied, I get 40K systems

With Last Update Within the last 2 Weeks filter, I get 30K systems

With Last Detected Time withing the last 2 Weeks filter, I get 25K systems.

These are huge deltas and I am also breaking out deployment modules.....which filter is best for reporting accurate numbers to my boss?

11 Replies
epository
Level 10
Report Inappropriate Content
Message 2 of 12

Re: Last Update vs. Last Detected Time Query

Also, anyone have any ideas on how to make a query/queries that would show you all new computers added in the last week and all computers removed from inventory in the last week?

Check-in times and Last Updates are ok,  but you are really ending up with net numbers when you just do the usual breakout, I need everything so I can say which sites are losing/addding computers.

UPDATE:  Audit Log will show you which new systems were added within a certain time frame and which systems were deleted.  Have to export to excel and use "Text to Columns"/Pivot Tables to co-locate to a site...

You can customize thru the ePo console how long before a system is deleted by agent-server communication.

Message was edited by: epository on 4/8/10 6:47:34 AM CDT

Message was edited by: epository on 4/8/10 9:07:29 AM CDT
ajacobs
Level 12
Report Inappropriate Content
Message 3 of 12

Re: Last Update vs. Last Detected Time Query

I am not a product expert but does your post belong in our HIPs product area here?

Let me know and I will move it.

bgable
Level 11
Report Inappropriate Content
Message 4 of 12

Re: Last Update vs. Last Detected Time Query

I think this is an ePO question...

epository
Level 10
Report Inappropriate Content
Message 5 of 12

Re: Last Update vs. Last Detected Time Query

This is an ePo question and not answered.

Highlighted
ajacobs
Level 12
Report Inappropriate Content
Message 6 of 12

Re: Last Update vs. Last Detected Time Query

Ok, trying again. I've moved this to our ePO area. Hopefully a product expert can help you soon.

Reliable Contributor SCtbe
Reliable Contributor
Report Inappropriate Content
Message 7 of 12

Re: Last Update vs. Last Detected Time Query

I think that for added system better would be create Managed System query and filter requlsts using First Detected Time property from Detection Sources category.

apoling
Level 14
Report Inappropriate Content
Message 8 of 12

Re: Last Update vs. Last Detected Time Query

Hi,

With no filter applied, I get 40K systems

With Last Update Within the last 2 Weeks filter, I get 30K systems

With Last Detected Time withing the last 2 Weeks filter, I get 25K systems.

These are huge deltas and I am also breaking out deployment modules.....which filter is best for reporting accurate numbers to my boss?

I think the second query would be good for all active systems.

The third query may not be relevant here, as this field does not really reflect other than when the RSD sensor has last detected its traffic.

/all supposing that you do not have nodes with AgentGUID problem and duplicate nodes and no RSD exceptions/

Also, anyone have any ideas on how to make a query/queries that would show you all new computers added in the last week and all computers removed from inventory in the last week?

Check-in times and Last Updates are ok,  but you are really ending up with net numbers when you just do the usual breakout, I need everything so I can say which sites are losing/addding computers.

UPDATE:  Audit Log will show you which new systems were added within a certain time frame and which systems were deleted.  Have to export to excel and use "Text to Columns"/Pivot Tables to co-locate to a site...

You can customize thru the ePo console how long before a system is deleted by agent-server communication.

I think the Last Update field is not really eligible to use in queries to find recent new nodes added to the tree, since this field is being constantly updated from existing systems, too. (Although when this field have old value, then it could be an indication of a node "getting lost" from a given group.)

Last Detected Time might not also be eligible since it is also updated if you have RSD sensor.

I made some investigations and there is a technical way of tracking nodes getting created and deleted but this requires extra programming within the SQL database and the result won't be accessible from within ePO queries (or I suppose so) only from direct SQL queries.

As for Audit Log: this is to be found in the OrionAuditLog table in the database, so if you prepare an Excel, you can embed an SQL query which directly lists - filtered - sections of this table.

Attila

Reliable Contributor SCtbe
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

Re: Last Update vs. Last Detected Time Query

There is an option to filter out detection source type and match it to epo.agent.

apoling
Level 14
Report Inappropriate Content
Message 10 of 12

Re: Last Update vs. Last Detected Time Query

As far as I know it only happens every 7 days or so (to give precedence to RSD sensor) and merely to update the properties of the detected item.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community