08-31-2023 08:09 AM - edited 08-31-2023 08:10 AM
Hello,
I'm trying to search for all installed vpn on endpoints using an XQL Query.
Before going further in my query, I'm trying to list all hosts where the application name contains "*vpn*".
This result and the result from host insight doing the same search are different. Somes endpoints are not showing in the query. So I've tried to search for those missing endpoints in query. I only find them when using the dataset "endpoints". I can't find them using host_inventory.
Why?
08-31-2023 10:32 AM
Hello @RemiLiquete
Thanks for reaching out on LiveCommunity!
Possible reason for not getting same number of hosts in endpoint and host_inventory dataset can be that the host insight capability was not enabled for all the hosts in agent setting profile. Other possible reason can be that you have limited number of Host Insight licenses which are required for host_inventory to work. Hence you may be missing out data from some of the hosts in host_inventory dataset.
08-31-2023 10:32 AM
Hello @RemiLiquete
Thanks for reaching out on LiveCommunity!
Possible reason for not getting same number of hosts in endpoint and host_inventory dataset can be that the host insight capability was not enabled for all the hosts in agent setting profile. Other possible reason can be that you have limited number of Host Insight licenses which are required for host_inventory to work. Hence you may be missing out data from some of the hosts in host_inventory dataset.
09-01-2023 01:11 AM
Hello @nsinghvirk
Thank you for your answer!
You're right, this is a licenses problem; I didn't check that.
09-12-2023 09:16 AM
Hey @RemiLiquete,
please set me know if you also have the problem to get them inside host inventory when your licence issue is solved.
In my opinion you have to reinstall the agent, because I have severall clients which are not visible in the host inventory after license upgrade.
BR
Rob
09-13-2023 08:20 AM
Hello, thank you for the information.
For now, I did not resolve this issue since it's not impacting for now. I let you know if it changes.
09-13-2023 01:42 PM
You're welcome!
Maybe you have more visibility with this XQL:
config case_sensitive = false
| dataset = endpoints
|join conflict_strategy = both type = left (dataset = host_inventory ) as HI HI.host_name = endpoint_name and HI.agent_domain = domain
|fields domain , endpoint_name, last_seen, host_name, endpoint_status
|filter host_name = null
|sort desc last_seen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
