https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521564#M3160 <P>Thank you for the response .&nbsp;</P> <P>&nbsp;</P> <P><SPAN><SPAN class="">Since we have kuberneted we need an output where it gives us windows, Linux and kuberenetes</SPAN></SPAN></P> <P><SPAN><SPAN class="">Would that be possible with this ? As the data sets for both are different</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> Thu, 17 Nov 2022 18:10:24 GMT Shashanksinha 2022-11-17T18:10:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521529#M3156 <P>Hello,&nbsp;</P> <P>I have used the below query to get the number of the operating system.</P> <P><SPAN>dataset = endpoints</SPAN><BR /><SPAN>| filter endpoint_status = CONNECTED</SPAN><BR /><SPAN>| alter operating_system = to_json_string(operating_system)</SPAN><BR /><SPAN>| alter operating_system1 = regextract(operating_system , "[^\.]*(Centos|RHEL|Amazon|Windows|Ubuntu)")</SPAN><BR /><SPAN>| alter operating_system2 = arraystring(operating_system1 , ":")</SPAN><BR /><SPAN>| fields operating_system , endpoint_name, operating_system2</SPAN><BR /><SPAN>| comp count(endpoint_name) as counter by operating_system2</SPAN><BR /><SPAN>| sort desc counter</SPAN></P> <P>&nbsp;</P> <P>How do I go forward from here and display the sum of RHEL, CENTOS as Linux in the table .&nbsp;</P> <P>&nbsp;</P> Thu, 17 Nov 2022 13:21:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521529#M3156 Shashanksinha 2022-11-17T13:21:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521552#M3159 <P><SPAN>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/203123">@Shashanksinha</a>,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>If your goal is to count the number of agents by OS and simplify its grouping, I would suggest using the “agent_os_type” filter under the xdr_data dataset. This filter groups agent OS types that are currently connected (example output: AGENT_OS_WINDOWS). You can then take it a step further using “dedup” to establish a single entry per IP address associated with the connected operating systems. This query could look something like:</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = xdr_data</SPAN></P> <P><SPAN>| filter agent_os_type != NULL and agent_ip_addresses != NULL</SPAN></P> <P><SPAN>| fields agent_os_type as type, agent_ip_addresses as ip</SPAN></P> <P><SPAN>| dedup ip by asc ip</SPAN></P> <P><SPAN>| comp count(type) as count by type&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope that helps! I would also be curious to know if this solved your issue.</SPAN></P> Thu, 17 Nov 2022 16:48:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521552#M3159 mfakhouri 2022-11-17T16:48:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521564#M3160 <P>Thank you for the response .&nbsp;</P> <P>&nbsp;</P> <P><SPAN><SPAN class="">Since we have kuberneted we need an output where it gives us windows, Linux and kuberenetes</SPAN></SPAN></P> <P><SPAN><SPAN class="">Would that be possible with this ? As the data sets for both are different</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> Thu, 17 Nov 2022 18:10:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521564#M3160 Shashanksinha 2022-11-17T18:10:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521575#M3162 <P><SPAN>No problem!</SPAN></P> <P>&nbsp;</P> <P><SPAN>I tweaked the prior query to also be compatible with the endpoints dataset:</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = endpoints</SPAN></P> <P><SPAN>| filter endpoint_status = CONNECTED</SPAN></P> <P><SPAN>| filter operating_system != null and last_seen != null</SPAN></P> <P><SPAN>| fields operating_system as type, last_seen as ls</SPAN></P> <P><SPAN>| dedup ls by desc ls</SPAN></P> <P><SPAN>| comp count(type) as count by type</SPAN></P> <P>&nbsp;</P> <P><SPAN>The IP address field doesn’t seem to be compatible with the query when the dataset is set to endpoints. But, I’ve found similar functionality with the agent “last_seen” field. This is likely due to the data type that is used depending on the dataset. How does this query work out with your implementation?</SPAN></P> Thu, 17 Nov 2022 20:27:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521575#M3162 mfakhouri 2022-11-17T20:27:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521675#M3164 <P>Hello&nbsp;</P> <P>Thanks for the response .&nbsp;</P> <P>Currently this query gives me operating system individually .But I want to be able to sumup 3 operating systems and name them as Linux and do the same for windows .</P> Fri, 18 Nov 2022 12:05:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-get-the-number-of-the-operating-system/m-p/521675#M3164 Shashanksinha 2022-11-18T12:05:06Z