-
1. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
Gaurav Sharma Dec 30, 2014 12:08 AM (in response to Brent Dickinson)Hi Brent,
Either you can use the below report available at Infrastructure > Infrastructure Host Reports >Newly Discovered Hosts
- Newly Discovered Hosts – Report to show new Hosts found in the given period.
Or you can use the http://discovery.bmc.com/confluence/display/90/Query+Language+Functions
createdDuring(node, start, end) function to get the list of Hosts/Nodes discovered between a given time.
Thanks,
Gaurav
-
2. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
Brent Dickinson Dec 30, 2014 10:37 AM (in response to Gaurav Sharma)If only it was that easy.
Unfortunately, the sweep scans do not actually create a host, networkdevice or snmpdevice, but rather indicates an endpoint exists with a valid credential captured in DiscoveryAccess. What I’m seeing from the DiscoveryAccess is the DeviceInfo.hostname typically returns an IP address if the host isn’t already discovered, but not always.
It stands to reason any "known" target would have had to met the required methods needed for creation. In all cases (Host, NetworkDevice and SNMPDevice) the getMACAddresses method must pass for node creation. What I think would be a good indicator of a newly discovered endpoint in DiscoveryAccess, is an endpoint without a corresponding MACAddress.
I'm still fuzzy on how to make that traversal...
-
3. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
Anthony Abate Dec 30, 2014 1:54 PM (in response to Brent Dickinson)Brent how about searching on the discovery access results. When a device is identified from a sweep scan it has a result of "DeviceIdentified". Using this I then said give me all the hosts that did not have a previous successful discovery access. There is probably more data than is needed here but this was able to get a report that seems to get what you would want.
SEARCH DiscoveryAccess WHERE end_state = 'DeviceIdentified' and _last_marker and not nodecount(traverse Next:Sequential:Previous:DiscoveryAccess WHERE result defined)
show endpoint, state, result, end_state, reason, device_summary, discovery_starttime, discovery_endtime, is_being_held, #Next:Sequential:Previous:DiscoveryAccess.device_summary as 'Device Summary', #Next:Sequential:Previous:DiscoveryAccess.result as 'Previous Result'
Couple things to note, the "_last_marker" flag will get the last known access, so the data here is based on the most recent and the previous discovery access. You could change it to say you only want to exclude hosts that had a successful discovery access on their previous discovery access rather than never having any discovery access. But I think that's your own preference.
-Anthony
-
4. Re: Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
Brent Dickinson Dec 30, 2014 2:42 PM (in response to Anthony Abate)Anthony,
Thank you, that did it. This was the last piece needed to completely automate my discovery schedules. I now have crontabs that query and scan "Seen but not discovered", create and start sweep scans based on non-routable subnets, and that cycle through my known universe on a weekly basis.
Life is good!
Cheers and Happy New Year!
--Brent
-
5. Re: How do I filter the results of a sweep scan for only newly discovered endpoints?
Brice-Emmanuel LoiseauxMay 23, 2019 4:59 PM (in response to Anthony Abate)
A better answer for current Discovery versions has been provided in Re: Discovery Report Query Unique List of Active IP Addresses