Forum Discussion

Bob Clements's avatar
Bob Clements
Copper Contributor
Jan 12, 2018

Query with SCCM ComputerGroup

The following documentation provides some example queries using Computer Groups:

Computer groups in Log Analytics log searches

 

I am attempting to run a query using some computer groups imported from SCCM. I have confirmed that the groups are available through Settings > Computer Groups > SCCM. However, my query isn't providing any results. These are a couple of the queries I am attempting to process:

 

let WaaSGroup = ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" | distinct Computer;
WaaSDeploymentStatus | where Computer in (WaaSGroup) | where DeploymentStatus=="Failed"
let DriverGroup = ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002"
UADriver | where Computer in (DriverGroup) | where Issue == "Driver will not migrate to new OS"

Does anyone have any clarification on the query syntax when using an imported computer group?

 

Thanks!

 

  • Hi Bob,

     

    Please provide us some more details so we can help you.

    Does the following queries provide any results?

     

    1. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" | distinct Computer
    2. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 001" and TimeGenerated > ago(2d) | distinct Computer
    3. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002" | distinct Computer
    4. ComputerGroup | where GroupSource == "SCCM" and Group == "Collection 002" and TimeGenerated > ago(2d) | distinct Computer

     

    BTW: you forgot the "distinct Computer" in the Collection 002 query.

     

    Thanks,

    Meir 

    • Bob Clements's avatar
      Bob Clements
      Copper Contributor

      Hi Meir,

       

      All 4 of the queries that you provided work as expected. I receive the list of computers that correspond to the different groups. 

       

      How would I take these results and run them against a table search? For example, one of the following conditions:

       

      WaaSDeploymentStatus | where Computer in (WaaSGroup) | where DeploymentStatus=="Failed"
      
      
      UADriver | where Computer in (DriverGroup) | where Issue == "Driver will not migrate to new OS"

Resources