Enrichment rule to delete installedsoftware

Hello:

I need help for create this enrichment rule if it's possible...

Our nodes are windows machines, which are scanned every 14 days.
The probe are configured with the appilog.agent.local.process.result.filterRedundant=false option, which envolves that all discovered CI's are marked with the date of LastDiscoveryTime (even those that have not changed)

I want to delete the installedsoftware CI's whose LastDiscoveredTime is not equal to the LastDiscoveredTime of the node.

I create the Enrichment rule and create the query:
.- Insert the node, the inventoryscanner and the installed software CI
.- Create a Regular Relationship (Composition) between the node and the inventoryscanner
.- Create a "Join Relationship" between the node and the installedsoftware
      .- Node {0} attribute: LastDiscoveredTime
      .- Operator: NotEqual
      .- InstalledSoftware {0} attribute: LastDiscoveredTime

When we calculate the query result count, it shows me more installedsoftware than expected.
The query not works with two or more nodes, it shows me more results /many are wrong) thant i expected

This query works well if we have only one node (we tested it), but when we have 2 or more nodes ir shows me wrong installedsoftware

Thanks.

  • Suggested Answer

    0  

    Hi Chuchi,

    The current condition defined in the join relationship will compare the LastDiscoveredTime of the installed software with not only the node where it is installed but all other nodes. Therefore, you need to tell the query that you want to compare the installedsoftware with its container node. 

    It can be solved by adding the following condition to the join relationship.

    InstalledSoftware.container equals Node.globalID

    Thanks,

    Leslie