2015-05-12 04:13 PM
Afternoon All,
I am attempting to create a report that will show any duplicated windows winrm collections that we have setup in our environment. I was hoping to just create a simple report that has any device = winevent_nic, and vlc > 2. However, I am unaware of any reporting syntax that is available to do such a thing? Please advise.
2015-05-19 11:25 AM
I've been asking around about your post. Got this as a response from one our technical leads:
"would do something like
Select device.ip
Where device.type= winevent_nic
Then lookup_and_add('forwarder.ip','device.ip,5)
Not exactly what he was trying but this will give him all windows machines and all collectors calling them. There should only be one collector and it will be easy to see if 2 are collecting the same host "
Hopefully that is helpful.
2015-05-21 09:25 AM
Thanks Seth.
What do you mean by 'forwarder.ip' in the lookup_and_add statement? Are you referring to the vlc == lc.cid? I attempted several variations of this in our instance, and nothing populated properly.