10 Replies Latest reply on Aug 19, 2019 4:48 AM by Hitesh Jha

    DAs with No Access & No Response Report

    Hitesh Jha
      Share This:

      Hello Experts,

       

      I am working on No Access & No Response report and prepared the query as below.

      search DiscoveryAccess where (end_state = 'NoAccess' or end_state = 'No Response') and _last_marker defined show endpoint, end_state, reason, device_summary, discovery_starttime, discovery_endtime, _last_marker as 'Last Marker' processwith show endpoint as 'Endpoint', end_state as 'End State', reason as 'Reason', device_summary as 'Device Summary', discovery_starttime as 'Discovery Start Time', discovery_endtime as 'Discovery End Time', _last_marker as 'Last Marker', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.device_type as 'Device Type', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.hostname as 'Hostname', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.kind as 'Kind'

       

      But it contain lots of entries in the extracted report.

      Could you please let me know what else or different approach so that end report will be more efficient.

       

      ~Hitesh

        • 1. Re: DAs with No Access & No Response Report
          Lisa Keeler

          Well, you already have the "where ... and _last_marker defined", so it is only showing the most recent DA for the endpoint.

           

          So, it is already pretty good query.

           

          You could restrict by a date such as only the DA's in the last 7 days.

           

          where discovery_starttime  > (currentTime() - 7*24*3600*10000000)

           

          Change the "7" to "30" to get 30 days, and so on.

           

           

          search DiscoveryAccess

          where (end_state = 'NoAccess' or end_state = 'No Response')

             and _last_marker defined

             and discovery_starttime  >  (currentTime() - 7*24*3600*10000000)

          show endpoint, end_state, reason, device_summary, discovery_starttime, discovery_endtime, _last_marker as 'Last Marker' processwith show endpoint as 'Endpoint', end_state as 'End State', reason as 'Reason', device_summary as 'Device Summary', discovery_starttime as 'Discovery Start Time', discovery_endtime as 'Discovery End Time', _last_marker as 'Last Marker', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.device_type as 'Device Type', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.hostname as 'Hostname', #DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DeviceInfo.kind as 'Kind'

          2 of 2 people found this helpful
          • 2. Re: DAs with No Access & No Response Report
            Hitesh Jha

            Thanks a lot Lisa for your prompt response.

            • 3. Re: DAs with No Access & No Response Report
              Hitesh Jha

              Lisa,

              Is it possible can we edit the below query to extract the list of Hosts  where end state is No response within one week.

               

              search Host, NetworkDevice, Printer, SNMPManagedDevice, ManagementController, MFPart, StorageDevice with value(getOption('MIN_FAILED_ACCESSES_BEFORE_DESTROY') + age_count) as scans, value(abs(last_update_success) / 10000000) as lus, value(currentTime() / 10000000 - getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') + 2 * 24 * 3600) as time_threshold, value((getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') + abs(last_update_success) / 10000000 - currentTime() / 10000000) / 3600) as time_to_doom where age_count defined and @scans <= 2 and @lus <= @time_threshold and getOption('MIN_FAILED_ACCESSES_BEFORE_DESTROY') > 2 and getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') > 2 * 24 * 3600 and kind(#) = 'Host' order by last_update_success show name, os, (#InferredElement:Inference:Associate:DiscoveryAccess.endpoint or 'DDD Aged Out') as 'Last Successful IP', whenWasThat(last_update_success) as 'Last Successful Scan', age_count * -1 as 'Consecutive Scan Failures', (@scans > 0 and @time_to_doom > 0 and #'Eligible for removal in %d scans and %d hours'(@scans,@time_to_doom) or @scans > 0 and #'Eligible for removal in %d scans'(@scans) or @time_to_doom > 0 and #'Eligible for removal in %d hours'(@time_to_doom)) as 'Removal Eligibility'

              • 4. Re: DAs with No Access & No Response Report
                Hitesh Jha

                Is it possible to create a query for No response for hosts using the function MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') ?

                • 5. Re: DAs with No Access & No Response Report
                  Lisa Keeler

                  Hi Hitesh,

                   

                  This doesn't seem to be a query function:  MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY

                   

                  I see it is the tw_option that corresponds to this setting in the UI, on the model maintenance page:

                   

                  10 days

                   

                   

                  But, I don't know what report you want, exactly.

                  I think you should open a ticket.

                   

                  Lisa

                  • 6. Re: DAs with No Access & No Response Report
                    Hitesh Jha

                    Lisa Thanks a lot for your help.

                    I have modified my query as below.

                    search Host where last_access_response <> 'Successful access' and last_update_success > currentTime() - 7 * 24 * 3600 * 10000000 show name as 'Hostname', #Device:ChosenEndpoint:Endpoint:Endpoint.endpoint as 'Ipaddress',  last_access_response as 'Last Access Response', formatTime(last_update_success, '%d %B %Y') as 'Last Update Success'

                     

                    But now it will show entries for Device changed identity as well in Last access Response.

                    I have verified my sample report as well for accuracy. I noticed few things as below.

                     

                    I am not able to understand one thing like one host was showing No access in last scan but it was successfully scanned in previous scheduled scans.

                     

                    I am looking for a query which will extract the servers list that shows No Access ,No Response in last one week.

                    • 7. Re: DAs with No Access & No Response Report
                      Hitesh Jha

                      Lisa,

                      Finally we have prepared query for No access,No response like below.

                       

                      "search Host with value(getOption('MIN_FAILED_ACCESSES_BEFORE_DESTROY') + age_count) as scans, value(abs(last_update_success) / 10000000) as lus, value(currentTime() / 10000000 - getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') + 2 * 24 * 3600) as time_threshold, value((getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') + abs(last_update_success) / 10000000 - currentTime() / 10000000) / 3600) as time_to_doom where age_count defined and @scans <= 7 and @lus <= @time_threshold and getOption('MIN_FAILED_ACCESSES_BEFORE_DESTROY') > 2 and getOption('MIN_SECONDS_SINCE_ACCESS_SUCCESS_BEFORE_DESTROY') > 2 * 24 * 3600 and kind(#) = 'Host' order by last_update_success show name, os_type, age_count * -1 as 'Consecutive Scan Failures', (@scans > 0 and @time_to_doom > 0 and #'Eligible for removal in %d scans and %d hours'(@scans,@time_to_doom) or @scans > 0 and #'Eligible for removal in %d scans'(@scans) or @time_to_doom > 0 and #'Eligible for removal in %d hours'(@time_to_doom)) as 'Removal Eligibility'

                      2 of 2 people found this helpful
                      • 8. Re: DAs with No Access & No Response Report
                        Lisa Keeler

                        great!  Thanks for posting the final query.

                        • 9. Re: DAs with No Access & No Response Report
                          Andrew Waters

                          That looks pretty much like the devices near removal threshold report.

                           

                          There is no need to check the kind, you have already limited it by using search Host.

                          1 of 1 people found this helpful
                          • 10. Re: DAs with No Access & No Response Report
                            Hitesh Jha

                            Understood Andrew.

                            I have removed the kind from the above query.