This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XQL query to find endpoints where X application is installed but not Y application

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL query to find endpoints where X application is installed but not Y application

NathanBradley
L3 Networker

‎10-10-2022 01:10 PM

Im needing to find endpoints that have a certain application (Application1) installed but then does not have (Application2) installed

The query below returns results that have either Application1 or Application2

Im downloading the results and then using excel to find non duplicates, any way for xql to give me the results i need?

 

config case_sensitive = false timeframe=1d
| dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationname=json_extract(applications, "$.application_name")
| alter applicationversion=json_extract(applications, "$.version")
| alter appvendor=json_extract(applications, "$.vendor")
| alter installdate=json_extract(applications, "$.install_date")
| filter applicationname contains "Application1" or applicationname contains "Application2"
| fields host_name, applicationname, applicationversion, appvendor, installdate, system_type, product_type, ip_addresses

0 Likes Likes
2 REPLIES 2

bbarmanroy
L5 Sessionator

‎10-10-2022 10:48 PM

Hi @NathanBradle, now that's a tricky one!
See if this helps:

dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationname=json_extract(applications, "$.application_name")
| alter applicationversion=json_extract(applications, "$.version")
| alter appvendor=json_extract(applications, "$.vendor")
| alter installdate=json_extract(applications, "$.install_date")
| alter applicationNameCount = "0" // create a new column called 'applicationnameC
| alter applicationNameCount  = if (applicationname contains "Chrome", replace (applicationNameCount, "0" , "1" ), applicationNameCount ) // if application 1 is installed
| alter applicationNameCount  = if (applicationname contains "Firefox", replace (applicationNameCount, "0", "2"), applicationNameCount ) // if application 2 is installed
| comp sum (to_integer(applicationNameCount)) as appInstalled by host_name 
| filter appInstalled = 1

 

 

0 Likes Likes

NathanBradley
L3 Networker

‎10-11-2022 06:48 AM

Thanks a ton I would not have gotten there, i was spot checking results at least 1 endpoint it didnt get

The endpoint below does have App1 but does not have App2

Could it be because the query got host_inventory data from 2 days, so there are 2 instances of App1 listed

Im not entirely sure what the last 2 lines of your query do though

 

NathanBradley_0-1665495995108.png

 

0 Likes Likes
  • 2726 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks