This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XQL query display hosts with KB not installed

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XQL query display hosts with KB not installed

Piotr_Kowalczyk
L3 Networker

‎02-21-2024 04:02 AM

Hi,

If I want to display hosts with some KBs installed, it is relatively easy as I use following query:

preset = host_inventory_kbs
| filter endpoint_type contains "WORKSTATION" and hotfix_id in ("KB5034763","KB5034122")
| fields  endpoint_name

Problem starts when I want to display hosts without any of KBs installed as with operator NOT IN, results shows all other patches not hosts without them. Could somebody advise how to create it correctly please? 

0 Likes Likes
4 REPLIES 4

CJNTS
L2 Linker

‎02-23-2024 11:24 AM

Try this using one KB value at a time.

 

preset = host_inventory_kbs
| filter endpoint_type contains "WORKSTATION"
| filter hotfix_id != null
| filter hotfix_id not contains "KB5034763"
| fields endpoint_name, hotfix_id

0 Likes Likes

Piotr_Kowalczyk
L3 Networker
In response to CJNTS

‎02-27-2024 04:40 AM

Thanks for your reply.

 

Unfortunately this query doesn't do what I was looking for. The result displays all patches which are not "KB5034763" and on which host they are installed so around 12,000 items with 800 hosts. I'm looking to display hosts which don't have this patch installed, the results should be less then total number of hosts.

0 Likes Likes

tporritt
L0 Member
In response to Piotr_Kowalczyk

‎03-12-2024 12:07 PM

Try this maybe?  It removes the hotfix ID and uses dedup to limit the list to single entries for hosts:
preset = host_inventory_kbs
| filter endpoint_type contains "WORKSTATION"
| filter hotfix_id != null
| filter hotfix_id not contains "KB5034763"
| fields endpoint_name
| dedup endpoint_name

0 Likes Likes

Piotr_Kowalczyk
L3 Networker
In response to tporritt

‎03-13-2024 03:25 AM

Hi,

 

Thank you for the reply.

 

Sadly the query doesn't work. If the KB5034763 would be the only update on computer it would give proper results but as it is not, it shows all other updates and as a result after deduplication, returns all computers.

0 Likes Likes
  • 487 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks