XQL Query help is required to narrow down our requirement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query help is required to narrow down our requirement

L1 Bithead

Dear All,

 

We are trying to understand that, there are certain applications installed on a host by using the below query. preset = host_inventory_applications
|filter endpoint_type = "AGENT_TYPE_WORKSTATION"
|filter application_name in("Application A","application B", "Application C") 
| comp latest(report_timestamp) by endpoint_name, application_name
| dedup endpoint_name, application_name
| sort asc endpoint_name  
| fields endpoint_name, application_name 

 

By running the above query, the result is that, we are getting hostname, application name etc, but we would like to get the result like the below.

Host Name, Applicatioin A, Application B etc, instead of duplicate entries of host with different applications.

Venu
1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Hi VenuK,

 

Try using the values function in the comp stage like in the example below. This will give you a field for each endpoint with an array of the applications 

preset = host_inventory_applications
|filter endpoint_type = AGENT_TYPE_WORKSTATION
|filter application_name in("Application A","application B", "Application C")
|comp values(application_name) as installed_applications by endpoint_name

 

Thanks,
Ben

View solution in original post

2 REPLIES 2

L3 Networker

Hi VenuK,

 

Try using the values function in the comp stage like in the example below. This will give you a field for each endpoint with an array of the applications 

preset = host_inventory_applications
|filter endpoint_type = AGENT_TYPE_WORKSTATION
|filter application_name in("Application A","application B", "Application C")
|comp values(application_name) as installed_applications by endpoint_name

 

Thanks,
Ben

L1 Bithead

You are really awesome @bbucao , this works

Venu
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!