Software Inventory query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Software Inventory query

L3 Networker

Hi,

 

I'm using following query to get software inventory and it is working well. However to the results, as last column, I would like to add number of hosts which have particular software.  Could somebody advise how to do this please?

 

dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"),software_vendor = json_extract(applications, "$.vendor")
| filter os_type = ENUM.OS_WINDOWS and product_type != ENUM.SERVER
| dedup software 
| fields software,software_vendor

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello @Piotr_Kowalczyk ,

Using dataset which runs for 90 days, you will get multiple entries of same endpoint which may result in discrepancy in count. Instead you can call the preset.

preset = host_inventory_applications
| fields application_name , vendor , version , endpoint_name
| comp count(endpoint_name) as installations by application_name , vendor , version
| sort desc installations

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi @Piotr_Kowalczyk, thanks for reaching us using the Live Community.

Please try this one:

 

dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"),software_vendor = json_extract(applications, "$.vendor")
| filter os_type = ENUM.OS_WINDOWS and product_type != ENUM.SERVER
| fields software,software_vendor, agent_name 
| comp count(agent_name) as installations by software,software_vendor 
| sort desc installations 
JM

L5 Sessionator

Hello @Piotr_Kowalczyk ,

 

Agent name may not be the good field to use for your use case.

Ashutosh Patil

L5 Sessionator

Hello @Piotr_Kowalczyk ,

Using dataset which runs for 90 days, you will get multiple entries of same endpoint which may result in discrepancy in count. Instead you can call the preset.

preset = host_inventory_applications
| fields application_name , vendor , version , endpoint_name
| comp count(endpoint_name) as installations by application_name , vendor , version
| sort desc installations

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil

L3 Networker

Aspatil, many thanks for your answer. Indeed using preset was better option as it didn't multiple values when run on 30 days. Will you be able to tell me why dataset = host_inventory gives multiple values but preset = host_inventory_application doesn't please?

Jmazzeo, many thanks for your reply. It was very close to what I was looking for, however when I run it on more than 24 hours it showed multiple values.

Hello @Piotr_Kowalczyk ,

 

The reason is dataset contains the raw data. Hence whenever scan happens the data get saved in it. The most important factor is _time field. I found that the multiple entries has different time, hence incorrect count. But, Preset has more efficient data and only contains required fields.

Ashutosh Patil

Thank you, Aspatil!

  • 1 accepted solution
  • 1786 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!