This content has been marked as final. Show 4 replies
Can you edit the SQL expression for your query directly and put an "GROUP BY systemname" at the end ?
Another try would be to put "DISTINCT" after the "SELECT" command.
I have to say, I'm pretty ignorant when it comes down to the SQL query level... is there a document on proper syntax?
Also how exactly do you go about editing the actual SQL query? I assume I would have to export the query in XML, modify it, and then reinsert it?
Here is my exported query which produces a table of Host Names that have been infected with Qhosts.apd (a Trojan hijack to modify the hosts file) within the last 5 days:
<name language="en">VSE: Hosts detected with specific infections within the last 5 days (Test)</name>
<description language="en">Query produces table of Computer Names for use with the Automated Task</description>
<property name="tableURI">query:table?orion.table.columns=EPOEvents.TargetHostName&or ion.table.order=az&orion.table.order.by=EPOEvents.TargetHostName</property>
<property name="conditionURI">query:condition?orion.condition.sexp=%28+where+%28+and+%28+ eq+EPOEvents.ThreatName+%22Qhosts.apd%22+%29+%28+newerThan+EPOEvents.ReceivedUTC +432000000++%29+%29+%29</property>
<property name="summaryURI">query:summary?orion.chart.type=table&orion.sum.query=fals e</property>
As I reviewed this you cannot do it this way because the DISTINCT command has to be placed before the column in the SELECT statement. I have not found out by now how this is generated by ePO.
Perhaps someone else ?
Perhaps try editing this and reimport the query:
<property name="tableURI">query:table?orion.table.columns=EP OEvents.TargetHostName&
<property name="tableURI">query:table?orion.table.columns=DISTINCT EPOEvents.TargetHostName&
No guarantee happy