5 Replies Latest reply on May 23, 2019 4:59 PM by Brice-Emmanuel Loiseaux

How do I filter the results of a sweep scan for only newly discovered endpoints?

Brent Dickinson Dec 29, 2014 1:22 PM

Share This:

I'm managing my discovery schedules using tw_query, tw_ipinject and cron. It
works very well and reduces my scheduling overhead by allowing me to add a
target/subnet by simply scanning it once. ADDM will then include the target
endpoint in its subsequent full scan and the subnet in subsequent sweep scan.
Using this technique, I've found I'm able to finish scans completely by
reducing my scan of dark space during full scans, and runs sweep scans against
all 600+ subnets in our environment, without worry of duplication or omission.
Finally, it also allows for dynamic rescanning of failed access of known
targets.

The one area I need to improve is identifying new hosts found in the sweep
scan. To that end, how do I filter the results of a sweep scan for only newly
discovered endpoints?

1. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Gaurav Sharma Dec 30, 2014 12:08 AM (in response to Brent Dickinson)
Hi Brent,

Either you can use the below report available at Infrastructure > Infrastructure Host Reports >Newly Discovered Hosts

Newly Discovered Hosts – Report to show new Hosts found in the given period.

Or you can use the http://discovery.bmc.com/confluence/display/90/Query+Language+FunctionscreatedDuring(node, start, end) function to get the list of Hosts/Nodes discovered between a given time.

Thanks,
Gaurav
Like Show 0 Likes(0)

Actions
2. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Brent Dickinson Dec 30, 2014 10:37 AM (in response to Gaurav Sharma)

If only it was that easy.

Unfortunately, the sweep scans do not actually create a host, networkdevice or snmpdevice, but rather indicates an endpoint exists with a valid credential captured in DiscoveryAccess. What I’m seeing from the DiscoveryAccess is the DeviceInfo.hostname typically returns an IP address if the host isn’t already discovered, but not always.

It stands to reason any "known" target would have had to met the required methods needed for creation. In all cases (Host, NetworkDevice and SNMPDevice) the getMACAddresses method must pass for node creation. What I think would be a good indicator of a newly discovered endpoint in DiscoveryAccess, is an endpoint without a corresponding MACAddress.

I'm still fuzzy on how to make that traversal...
Like Show 0 Likes(0)

Actions
3. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Anthony Abate Dec 30, 2014 1:54 PM (in response to Brent Dickinson)

Brent how about searching on the discovery access results. When a device is identified from a sweep scan it has a result of "DeviceIdentified". Using this I then said give me all the hosts that did not have a previous successful discovery access. There is probably more data than is needed here but this was able to get a report that seems to get what you would want.

SEARCH DiscoveryAccess WHERE end_state = 'DeviceIdentified' and _last_marker and not nodecount(traverse Next:Sequential:Previous:DiscoveryAccess WHERE result defined)
show endpoint, state, result, end_state, reason, device_summary, discovery_starttime, discovery_endtime, is_being_held, #Next:Sequential:Previous:DiscoveryAccess.device_summary as 'Device Summary', #Next:Sequential:Previous:DiscoveryAccess.result as 'Previous Result'

Couple things to note, the "_last_marker" flag will get the last known access, so the data here is based on the most recent and the previous discovery access. You could change it to say you only want to exclude hosts that had a successful discovery access on their previous discovery access rather than never having any discovery access. But I think that's your own preference.

-Anthony
Like Show 0 Likes(0)

Actions
4. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Brent Dickinson Dec 30, 2014 2:42 PM (in response to Anthony Abate)

Anthony,

Thank you, that did it. This was the last piece needed to completely automate my discovery schedules. I now have crontabs that query and scan "Seen but not discovered", create and start sweep scans based on non-routable subnets, and that cycle through my known universe on a weekly basis.

Life is good!

Cheers and Happy New Year!

--Brent
Like Show 0 Likes(0)

Actions
5. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Brice-Emmanuel Loiseaux May 23, 2019 4:59 PM (in response to Anthony Abate)

A better answer for current Discovery versions has been provided in Re: Discovery Report Query Unique List of Active IP Addresses
Like Show 0 Likes(0)

Actions

Go to original post

Communities

Communities

How do I filter the results of a sweep scan for only newly discovered endpoints?

1. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

2. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

3. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

4. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

5. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?

Actions

More Like This

Incoming Links