Cortex XDR - New Widget

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR - New Widget

L3 Networker

Hello,

 

Can we create a widget with regards to endpoint tag and number of agents?

 

7 REPLIES 7

L5 Sessionator

Hi @RamyashreeMada Yes, you can.

 

Share the XQL that you've written so far, and let us work together to fine-tune it for your needs.
Hint: you'll start off with 

dataset = endpoints
| alter server_tags = tags ->server_tags[]

 

Hi,

 

Currently, we need create a graph with X-axis as all the different tags and Y-axis as the number of endpoints. Now the tags we have is in the format "Team A: Product 1". In this we have to get numbers of endpoint for Team A tag + another widget for the different products in Team A tag. Currently, my SQL query looks like this

 

Dataset = Endpoints

| Tags contains "Team A"

 

It would be helpful if you guide us on how we proceed further. 

Hi @Aiman_Fathima , you'll need to process it further to narrow down to the exact tag before you can count it (or at least cleanly). There are two ways to do it.

1. The recommended way is to change the tags from "TeamA:Product1" to two tags "TeamA, Product1". This will allow you to slice and dice more effectively, without requiring to use "contains".

2. If you want to keep the current tag format, you'll have to use a 'split' function to split the tags, and then continue.

 

Once you do that, you'll end up with an array of tags. Expand it (using arrayexpand), and tell me what you think the next step should be!

 

 

Hello,

I tried to run this query . dataset = endpoints |filter tags contains "team A" |alter server_tags = tags -> server_tags[] | comp count(server_tags). I tried to display the tags in x axsis using the fields but it does not take tags or server_tags as a valid field.

L5 Sessionator

Hi @RamyashreeMada you are almost there.

This is what you wrote:

dataset = endpoints 
|filter tags contains "team A" 
|alter server_tags = tags -> server_tags[] 
| comp count(server_tags)

 

 

Line 3 contains the results of extracting the server_tags[] and returns an array. You'll need to use 'arrayexpand' to get results with each row containing one instance of server_tags. I advised the same in my earlier post.

 

dataset = endpoints 
|filter tags contains "tag" 
|alter server_tags = tags -> server_tags[] 
| arrayexpand server_tags 

 

The last step is to count the number of endpoints corresponding to each tag. Can you help us out here by telling how it should look like?

 

Hello,

 

Thanks! Basically our x axis should be the tag name and y axis the count of endpoints having the tag. 

That's right!

Can you share the final version of the query for everyone to be able to use it to their needs?

  • 2458 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!