1 Reply Latest reply on Sep 14, 2009 2:08 AM by tempuser

    ODS Query help!!

      I am trying to create a query in ePO 4.0 that lists all PCs that are currently undergoing a scan.
      I managed to create a query that displays a grouped bar chart, in which one group displays all PCs on which a scan has been started, and another group displays PCs on which a scan has finished.
      Essentially, what I am looking for is a query that displays the 'difference' of these 2 groups. i.e. PCs on which a scan has started but not ended.

      Can anyone help me??

      PS: I pasted the xml of the query below if any one is interested. However make sure that events 1202 and 1203 are selected under Configuration > Server Setting > Event Filtering.

      <queries>
      <query>
      <name language="en">VSE: ODS start/complete</name>
      <description language="en"></description>
      <property name="target">EPOEvents</property>
      <property name="tableURI">query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.AnalyzerDetectionMethod&amp;orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.AnalyzerDetectionMethod&amp;orion.table.order=az</property>
      <property name="conditionURI">query:condition?orion.condition.***p=%28+where+%28+and+%28+or+%28+eq+EPOEvents.ThreatEventID+1203++%29+%28+eq+EPOEvents.ThreatEventID+1202++%29+%29+%28+newerThan+EPOEvents.DetectedUTC+86400000++%29+%29+%29&amp;orion.condition.***p=%28+where+%28+eq+EPOEvents.ThreatEventID+1203++%29+%29</property>
      <property name="summaryURI">query:summary?orion.show.other.limit=0&amp;orion.sum.order.by=count%3Acount&amp;orion.show.other=false&amp;orion.sum.group.by=EPOEvents.ThreatCategory%3AEPOEvents.AnalyzerDetectionMethod&amp;orion.sum.aggregation.column=count&amp;orion.sum.time.cols=false%3Afalse&amp;orion.sum.aggregation=count&amp;orion.sum.order=asc%3Aasc&amp;orion.sum.limit.count=0%3A0&amp;orion.chart.type=groupedbar&amp;orion.sum.limit=false%3Afalse&amp;groupedbar.title=EPOEvents.ThreatCategory&amp;orion.sum.query=true</property>
      </query>
      </queries>


      Thanks