1 2 Previous Next 11 Replies Latest reply on Jul 12, 2010 7:20 AM by Attila Polinger

    Last Update vs. Last Detected Time Query

    epository

      All,

       

      In trying to give my bosses the most accurate information, I try to filter my results on how many machines have the agent down to what has checked -in/been detected in the last 2 weeks.

       

      I created a custom query on Managed Systems and sorted by Agent Versions:

       

      With no filter applied, I get 40K systems

       

      With Last Update Within the last 2 Weeks filter, I get 30K systems

       

      With Last Detected Time withing the last 2 Weeks filter, I get 25K systems.

       

      These are huge deltas and I am also breaking out deployment modules.....which filter is best for reporting accurate numbers to my boss?

        • 1. Re: Last Update vs. Last Detected Time Query
          epository

          Also, anyone have any ideas on how to make a query/queries that would show you all new computers added in the last week and all computers removed from inventory in the last week?

           

          Check-in times and Last Updates are ok,  but you are really ending up with net numbers when you just do the usual breakout, I need everything so I can say which sites are losing/addding computers.

           

           

          UPDATE:  Audit Log will show you which new systems were added within a certain time frame and which systems were deleted.  Have to export to excel and use "Text to Columns"/Pivot Tables to co-locate to a site...

           

          You can customize thru the ePo console how long before a system is deleted by agent-server communication.

           

           

          Message was edited by: epository on 4/8/10 6:47:34 AM CDT

           

           

          Message was edited by: epository on 4/8/10 9:07:29 AM CDT
          • 2. Re: Last Update vs. Last Detected Time Query

            I am not a product expert but does your post belong in our HIPs product area here?

             

            Host Intrusion Prevention

             

            Let me know and I will move it.

            • 3. Re: Last Update vs. Last Detected Time Query
              bgable

              I think this is an ePO question...

              • 4. Re: Last Update vs. Last Detected Time Query
                epository

                This is an ePo question and not answered.

                • 5. Re: Last Update vs. Last Detected Time Query

                  Ok, trying again. I've moved this to our ePO area. Hopefully a product expert can help you soon.

                  • 6. Re: Last Update vs. Last Detected Time Query
                    SCtbe

                    I think that for added system better would be create Managed System query and filter requlsts using First Detected Time property from Detection Sources category.

                    • 7. Re: Last Update vs. Last Detected Time Query
                      Attila Polinger

                      Hi,

                       

                       

                      With no filter applied, I get 40K systems

                       

                      With Last Update Within the last 2 Weeks filter, I get 30K systems

                       

                      With Last Detected Time withing the last 2 Weeks filter, I get 25K systems.

                       

                      These are huge deltas and I am also breaking out deployment modules.....which filter is best for reporting accurate numbers to my boss?

                      I think the second query would be good for all active systems.

                      The third query may not be relevant here, as this field does not really reflect other than when the RSD sensor has last detected its traffic.

                      /all supposing that you do not have nodes with AgentGUID problem and duplicate nodes and no RSD exceptions/

                      Also, anyone have any ideas on how to make a query/queries that would show you all new computers added in the last week and all computers removed from inventory in the last week?

                       

                      Check-in times and Last Updates are ok,  but you are really ending up with net numbers when you just do the usual breakout, I need everything so I can say which sites are losing/addding computers.

                       

                       

                      UPDATE:  Audit Log will show you which new systems were added within a certain time frame and which systems were deleted.  Have to export to excel and use "Text to Columns"/Pivot Tables to co-locate to a site...

                       

                      You can customize thru the ePo console how long before a system is deleted by agent-server communication.

                       

                       

                      I think the Last Update field is not really eligible to use in queries to find recent new nodes added to the tree, since this field is being constantly updated from existing systems, too. (Although when this field have old value, then it could be an indication of a node "getting lost" from a given group.)

                       

                      Last Detected Time might not also be eligible since it is also updated if you have RSD sensor.

                       

                      I made some investigations and there is a technical way of tracking nodes getting created and deleted but this requires extra programming within the SQL database and the result won't be accessible from within ePO queries (or I suppose so) only from direct SQL queries.

                       

                      As for Audit Log: this is to be found in the OrionAuditLog table in the database, so if you prepare an Excel, you can embed an SQL query which directly lists - filtered - sections of this table.

                       

                      Attila

                      • 8. Re: Last Update vs. Last Detected Time Query
                        SCtbe

                        There is an option to filter out detection source type and match it to epo.agent.

                        • 9. Re: Last Update vs. Last Detected Time Query
                          Attila Polinger

                          As far as I know it only happens every 7 days or so (to give precedence to RSD sensor) and merely to update the properties of the detected item.

                          1 2 Previous Next