https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596309#M7125 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222214">@rhodgkins1</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Please try using below query. json_extract() function can be used to extract JSON fields.</P> <P>dataset = host_inventory<BR />| filter os_type contains "OS_MAC"<BR />| filter applications contains "netskope"<BR />| arrayexpand applications <BR />| alter abc = json_extract(applications ,"$.version")<BR />| fields host_name, abc as Application_version</P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Thu, 29 Aug 2024 15:36:18 GMT nsinghvirk 2024-08-29T15:36:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596294#M7124 <P>I am new to using xql and I am having trouble getting the information I need using a search query. I need to pull a list of all Mac_OS hosts and then within the applications field return the version of NetSkope installed on the client. I have started with the following query which returns the basic data, but I am lost as to how to extract the information from the applications field which is in a json format. Here is the query along with the sample block from the json data that I need to get. This JSON data is located within the Applications field.&nbsp;</P> <P>&nbsp;</P> <P>dataset = host_inventory<BR />| filter os_type contains "OS_MAC"<BR />| filter applications contains "netskope"<BR />| fields host_name, applications </P> <P>&nbsp;</P> <P>{<BR />"identifier": "com.netskope.client.Netskope-Client",<BR />"install_date": null,<BR />"installed_for_sid": "global",<BR />"is_from_appstore": false,<BR />"key_name": null,<BR />"manager_name": "macOS",<BR />"application_name": "Netskope Client",<BR />"raw_version": "118.1.1.2131 (118.1.1.2131)",<BR />"uninstall_string": null,<BR />"url_info_about": null,<BR />"url_update_info": null,<BR />"vendor": "netSkope, Inc.",<BR />"version": "118.1.1.2131",<BR />"win_installer": null</P> <P>&nbsp;</P> Thu, 29 Aug 2024 11:48:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596294#M7124 rhodgkins1 2024-08-29T11:48:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596309#M7125 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222214">@rhodgkins1</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Please try using below query. json_extract() function can be used to extract JSON fields.</P> <P>dataset = host_inventory<BR />| filter os_type contains "OS_MAC"<BR />| filter applications contains "netskope"<BR />| arrayexpand applications <BR />| alter abc = json_extract(applications ,"$.version")<BR />| fields host_name, abc as Application_version</P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Thu, 29 Aug 2024 15:36:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596309#M7125 nsinghvirk 2024-08-29T15:36:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596317#M7126 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a>&nbsp;thank you very much for your reply. This is getting much closer. However this is returning the version of every piece of software on the endpoints. I just need to have each host return the version of NetSkope installed on the host. In the code block below is the data I need to extract. If "Netskope Client" is the application_name, then I need the version.&nbsp;<BR /><BR /><SPAN>{</SPAN><BR /><SPAN>"identifier": "com.netskope.client.Netskope-Client",</SPAN><BR /><SPAN>"install_date": null,</SPAN><BR /><SPAN>"installed_for_sid": "global",</SPAN><BR /><SPAN>"is_from_appstore": false,</SPAN><BR /><SPAN>"key_name": null,</SPAN><BR /><SPAN>"manager_name": "macOS",</SPAN><BR /><SPAN>"application_name": "Netskope Client",</SPAN><BR /><SPAN>"raw_version": "118.1.1.2131 (118.1.1.2131)",</SPAN><BR /><SPAN>"uninstall_string": null,</SPAN><BR /><SPAN>"url_info_about": null,</SPAN><BR /><SPAN>"url_update_info": null,</SPAN><BR /><SPAN>"vendor": "netSkope, Inc.",</SPAN><BR /><SPAN>"version": "118.1.1.2131",</SPAN><BR /><SPAN>"win_installer": null</SPAN></P> Thu, 29 Aug 2024 17:21:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-find-all-mac-os-endpoints-and-return-the-version-of/m-p/596317#M7126 rhodgkins1 2024-08-29T17:21:52Z