This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XQL query to get a list of current applications installed on hosts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL query to get a list of current applications installed on hosts

K.Dadana633909
L0 Member

‎01-23-2026 01:46 PM

Hello everyone,

 

Our team is trying to utilize the XDR host inventory dataset to gather details on what applications are installed on each host.

 

We’re encountering an issue with Cortex XDR Host Inventory queries returning stale host data, which is producing duplicate host/application sets in our results. Is anyone aware of how we can resolve this issue?

 

The current XQL we are utilizing:

 

dataset = host_inventory

| filter applications != null

| arrayexpand applications

| alter applications=json_extract(applications, "$.application_name"), software_vendor = json_extract(applications, "$.vendor"), software_verion = json_extract(applications, "$.version")

| join (dataset = endpoints) as EP EP.endpoint_name = host_name

| fields host_name, applications, software_verion, group_names

| arrayexpand group_names limit 1

| sort asc group_names

//| comp count(applications) by host_name

// | dedup applications by desc host_name (optional)

 
 
0 Likes Likes
1 REPLY 1

susekar
L3 Networker

‎01-23-2026 02:12 PM

Hello @K.Dadana633909 ,

 

Greetings for the day.

 

The issue of duplicate host/application sets in your results occurs because the host_inventory dataset is a log-based, point-in-time dataset. Unlike the standard endpoints dataset, which generally reflects the current state, host_inventory stores historical records of every inventory scan (which occurs by default every 24 hours). Without a deduplication stage, your query returns every historical application scan ever reported for each host in the specified timeframe.

 

To resolve this and ensure you are only seeing the most recent application data, follow these steps:

1. Apply Deduplication to the host_inventory Dataset

You must use the dedup stage to isolate the most recent scan for each host. It is most efficient to perform this deduplication before the arrayexpand and join stages to reduce the number of rows processed.

Recommended deduplication logic:

dataset = host_inventory
| dedup host_name by desc _time

This ensures you only process the single latest inventory report for each hostname. If your environment has hosts with duplicate names, deduplicate by agent_id or serial_number instead.

2. Use the host_inventory_applications Preset

For application-specific queries, using the dedicated preset is often more efficient and is the recommended approach for software inventory reports. This preset is optimized for application data and reduces the need for manual JSON extraction from the applications field.

3. Verify Version and Known Bugs

If you are running Cortex XDR/XSIAM version 3.16, be aware of a known bug (CRTX-209483) that specifically caused the host_inventory dataset to return massive amounts of duplicate historical data regardless of filters. Ensure your tenant has received the latest backend hotfixes to address this.

Optimized XQL Query Example

Based on your original query, here is an optimized version that incorporates deduplication and performance best practices:

// Set a specific timeframe to avoid scanning unnecessary historical logs
config timeframe = 7d 
| dataset = host_inventory
// 1. Get the latest scan per host before expanding applications
| dedup host_name by desc _time 
| filter applications != null
| arrayexpand applications
| alter 
    applications = json_extract(applications, "$.application_name"), 
    software_vendor = json_extract(applications, "$.vendor"), 
    software_version = json_extract(applications, "$.version")
// 2. Join with deduped endpoints to ensure one-to-one mapping
| join (dataset = endpoints | dedup endpoint_name) as EP EP.endpoint_name = host_name
| fields host_name, applications, software_version, group_names
| arrayexpand group_names limit 1
| sort asc group_names

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New year!!

 

Thanks & Regards,
S. Subashkar Sekar

(1)
  • 1316 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks