5 Replies Latest reply on Oct 22, 2008 12:02 AM by Medusoft

    Deleted systems still searchable and in queries

      I have been upgrading everyone to agent 4.0 and have ran the query to easily find systems that haven't gotten the update yet. I found some systems that were no longer around and deleted them from the ePo and selected to remove agent as well. Then I noticed that the system is still in the query. So I went to the Systems and they are not there anymore. I search for them and find them. They are showing as being in the Global Root. How do I get these systems to actually delete so they aren't showing up anymore in my queries?

      Running ePo 4.0

      Thanks
        • 1. RE: Deleted systems still searchable and in queries
          try to create a query for these events and filter them so they only apply to computers that are in group global root or so.

          than create a scheduled server task with the action Purge Events. In this task you can choose to purge only the events that are part of a query of your choice, so the just created query.

          think that should help.
          • 2. RE: Deleted systems still searchable and in queries
            Thanks for your reply. I've tried setting up what you described and I think I'm lost. I created a query that only lists systems in the Global Root. Then I went to the server tasks and created a new task. I don't see a Purge Events. The Purge tasks I have are
            Purge Audit Log
            Purge Compliance History
            Purge Event Log
            Purge Notification Log
            Purge Rolled-up Compliance history
            Purge rolled-up Systems
            Purge Server Task Log

            The purge event log only has an option of how old do you want to keep the log. So I tried the Run Query action and picked the query that I created and then picked delete systems. It gave an error

            "Task validation failure:

            Unable to create Command ComputerMgmt.delete.system in task Global Root [null] "

            Am I doing something wrong? Running that query showed me that any system that I have deleted in the past has ended up there. I was only aware of 2 or 3 (that I deleted yesterday) and there are actually 19 systems in the Global Root.

            Thanks for your help.
            • 3. RE: Deleted systems still searchable and in queries
              The action you choose should be of type Purge Event Log.

              There you have two suboptions:

              • Purge records older than 1 days
              • Purge by query



              Choose the latter. Than select the query you just created, and all should be working just fine.

              The query i created to run is as follows:

              1. Result Type: Events
              2. Chart: Table
              3. Columns: Leave Default
              4. Filter: Assignment Path ... Equals ... GlobalRoot



              I exported the query to .xml. Below are the contents of that .xml file. Copy and paste them into notepad and save the file as whatever.xml. You will than be able to import it.

              Events of Deleted Systems:

              <queries>
              <query>
              <name language="nl">Events of Deleted Systems</name>
              <description language="nl"></description>
              <property name="target">EPOEvents</property>
              <property name="tableURI">query:table?orion.table.columns=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName&amp;orion.table.order.by=EPOEvents.DetectedUTC%3AEPOEvents.Analyzer%3AEPOEvents.TargetHostName%3AEPOEvents.TargetIPV4%3AEPOEvents.ThreatCategory%3AEPOEvents.ThreatEventID%3AEPOEvents.ThreatSeverity%3AEPOEvents.ThreatName&amp;orion.table.order=az</property>
              <property name="conditionURI">query:condition?orion.condition.sexp=%28+where+%28+eq+EPOBranchNode.NodeTextPath+%22GlobalRoot%22+%29+%29</property>
              <property name="summaryURI">query:summary?orion.chart.type=table&amp;orion.sum.query=false</property>
              </query>
              </queries>
              • 4. RE: Deleted systems still searchable and in queries
                Thanks. That got rid of the events by the machines in the global root, but it didn't get rid of the machines themselves. I did however figure out why it was doing that. I found that if you delete a system and check the Remove Agent it moves the system to Global Root until the system checks in and uninstalls the agent then it deletes it completely.

                Thanks for your help.
                • 5. RE: Deleted systems still searchable and in queries
                  A I can imagine that!

                  you can offcourse use the same implementation for removing those systems as for the events using the scheduled server task "Run Query". Specify a query of choice (the one showing computers in global root), than choose Delete System as the subaction.

                  The downside offcourse is that the agent removal task will be deleted as well than happy