18 Mar 2024 04:49 PM
I need help to get process group for specific set of hosts using DQL.
Has anyone extracted it successfully?
Regards,
AK
Solved! Go to Solution.
18 Mar 2024 06:45 PM - edited 18 Mar 2024 06:46 PM
Hi,
It returns all process groups IDs and visual name for host "XXXX":
fetch dt.entity.host
| filter entity.name == "XXXX"
| expand runs[dt.entity.process_group]
| fieldsAdd process_group.name = lookup(
[ fetch dt.entity.process_group ], lookupField:id, sourceField:`runs[dt.entity.process_group]`
)[entity.name]
Maybe a better DQL query can be done.
Best regards
18 Mar 2024 08:29 PM
As single process group can run on multiple hosts, this query may contain duplicates, you can use dedup command
| dedup `runs[dt.entity.process_group]`, process_group.name
to get list of unique process group ids/names and one exemplary host id/name for each of them. Alternatively you can use summarize to get unique process group ids/names with array of hosts it runs on
| summarize {ids=collectDistinct(id)}, by: {`runs[dt.entity.process_group]`, process_group.name}
Kris