19 Dec 2023 04:42 PM - last edited on 20 Dec 2023 08:27 AM by MaciejNeumann
Hi there,
I'm a newbie, so please don't flame me. I'm trying to get the logs from all hosts that have a certain Tag... i can get the hosts, but them how do i feed that to a fetch logs ?
fetch dt.entity.host | filter matchesValue(tags,"MESSAGING:DAG01")
| fetch logs
doesn't seem to work
any pointers would be appreciated, cheers
Solved! Go to Solution.
19 Dec 2023 07:51 PM
Hi @S_Hadley1138,
Try this :
fetch logs
| lookup [ fetch dt.entity.host
| filter matchesValue(tags,"MESSAGING:DAG01")
],lookupField:id, fields:{id}
Let me know if it's ok for you
20 Dec 2023 09:46 AM - edited 20 Dec 2023 09:59 AM
thanks for responding. it does execute, but its not respecting the tag, and pulling everything back. it seems i can put anything in the tag field in the query and get the same results... very odd
ive tried to show in the screenshot, that the hosts its pulling back are citrix, rather than messaging, and have different tags
20 Dec 2023 12:41 PM
Ooh.. so you can try this :
fetch logs
| lookup
[
fetch dt.entity.host
],sourceField:dt.entity.host, lookupField:id, fields:{id,tags}
| filter matchesValue(tags,"MESSAGING:DAG01")
21 Dec 2023 02:47 PM
i may have found the issue.... seems our servers were not enabled for collecting the windows application logs, so there are no logs to find... apologies for that
21 Dec 2023 08:31 PM
That might explain it all ^^
22 Dec 2023 08:57 AM
like I said, I am a Newbie... (and a Muppet...) thanks for your help
20 Dec 2023 12:55 PM - edited 20 Dec 2023 12:55 PM
@S_Hadley1138
oooh.. So you can try this one :
fetch logs
| lookup
[
fetch dt.entity.host
],sourceField:dt.entity.host, lookupField:id, fields:{id,tags}
| filter matchesValue(tags,"MESSAGING:DAG01")
20 Dec 2023 01:39 PM
close, but that doesn't return anything...
i can see what you are doing with the filter, as this query returns the host names ok
fetch dt.entity.host
|fieldsAdd entity.name
| filter matchesValue(tags,"MESSAGING:DAG01")
just need to get the logs to filter by this list.... so close
20 Dec 2023 03:11 PM
sadly, that return no results. the filter part works against the hosts table, it just doesnt want to connect the two parts. any other ideas?
20 Dec 2023 04:16 PM
It's curious because I tested the command on my environment and it works well..
20 Dec 2023 05:00 PM
count it be because there are many Tags? might it need to be a 'containsValue' rather than matchesValue? or whatever the DQL equivalent is? in your testing, try it with several tags....
20 Dec 2023 04:42 PM
i agree, as i think it is along the right lines..... I've included a screenshot, i can prove the tags are right... i must be doing something wrong
20 Dec 2023 07:36 PM
can you observe the desired tags with the following command?
fetch dt.entity.host
| filter matchesValue(tags,"MESSAGING:DAG01")
| fields entity.name, id, tags
21 Dec 2023 01:43 PM
yep, that query works fine (apologies for the red, im trying to obscure the company name)