Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 2

Unique results in reporting

Hello All;

The reporting feature of ePo is great, it allows filtering on many different tags and attributes;

One thing I am scratching my head over, and so is McAfee support is the ability to report on unique events, just once and only once.

For example I want to create a query that shows how many machines got the VSE deployed.

I create a custom query filtering onthe following below

event ID = 2411

detected UTC = 1 week

Product code = virusscan8700

initiator type = deploymenttask

event type = install

The report is generated and what I see is the same machine reporting that they matched the filter above.

How can I make it so the machines only show up in the report once, and not multiple times? This way I can get a more true result.

I have already done a tech support chat session and he indicated the only way to do this was an SQL query using "Select distinct"

This is fine but I want to be able to port this into a report in the ePo instead of just having the RAW data.

Anyone know of a way to do this, searched the community but could not find anything related.


Nick Diniz

Security Systems Administrator

Message was edited by: ndiniz on 4/26/10 2:01:21 PM CDT
1 Reply
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Unique results in reporting

Here are some instructions I wrote in another thread on how to accomplish essentially the same thing only instead of a deployment task its an on-demand scan tast.

Currently we do not have a default report that you can run to determine the success/failure of a VSE ODS. This would be a good Feature Modification request if you would like to submit one. In the meantime thier is a way you create such a report:

1.  Create a "Scan Completed" tag.
2.  Create a report to pull a list of all managed systems.
3.  Create a report to pull all 1203 events within the past <however often the ODS scan runs>.
4.  Create a server automation task.
        a.  Have the task run the query from number 2 to pull all systems and clear the "Scan Completed" tag.
        b.  Have the task run the query from number 3 to pull the 1203 events and apply the "Scan Completed" tag to all systems returned.
        b.  Schedule the task run after each on demand scan.
5.  Create a boolean chart report that shows machines with the "Scan Completed" tag as compliant, and all other machines as non-compliant.

So you would have to alter the above to report on a deployment task (which would be a different event ID).

I should mention that even if you go through this it may not give you the information you are looking for. Just because a deployment task is runs successfully on a client machine DOES NOT necessarily mean the product itself successfully installed. A "successful" deployment task essentially means that the agent on the client machine successfully invoked the task, downloaded the install package and launched the install (or it invoked the task, determined nothing needed to be installed and quit). After launching the install the agent had done its part and reports the task is successful. Now after launching the install of the point product the install may ultimately fail (so the "deployment" was successful but the "install" failed).

I would suggest a better method would be to run compliance reports to determine if the product you are trying to install is reporting back to ePO that it is installed. You can deduce that if the agent is not reporting back to ePO that that product is installed then you need to take some action on that machine. Ultimately what you want to know is did the product get installed on the client and is it reporting back to ePO correctly. The compliance reports answer both questions while the report you are trying to construct ONLY tells you if a deployment task was completed on the client (and not what product the deployment task was trying to install or whether the install was actually successful).