cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

How to remove duplicated audit events

Hi,

Can you show me how to remove duplicated audit events from this query?

SELECT o.TimeLoggedUtc, o.AccountID, o.AuditEventMessage, n.DisplayName, o.AuditingActionType.ActionTypeDisplayName, cp.OS_Environment, cp.os_admin, cp.site_name, cp.mute_node, n.ipaddress, cp.os_type, cp.Site_Server_Room_Rak, cp.Site_Server_Room_Row, n.status, n.childstatus, n.DetailsUrl, o.networknode, n.nodeid

FROM Orion.AuditingEvents o 

left JOIN Orion.Nodes n ON o.NetworkNode=n.NodeID 

left join orion.nodescustomproperties cp ON o.networknode=cp.nodeid

WHERE cp.mute_node = 'true' and AuditEventMessage like '%Mute_Node% to %True%' and NetworkNode is not NULL and ActionTypeID = 30

order by TimeLoggedUtc DESC 

pastedImage_2.png

I know there's a new built-in Mute feature with SAM 6.4, however I can't transition to that method yet, so thanks in advance.

0 Kudos
2 Replies
Level 10

More clarification:  I need to add in a resource view to show a custom property node if it is muted and at the same time, show the account which muted the node.  However, running this swql query resulted in an "audit type event" which will show multiple event of node being muted.


Can I add this custom resource view to show only 1 instance of the Node name, or IP?

0 Kudos
Level 19

You just want the most recent audit event for when a node's Mute_Node custom property is set to 'True'? You can get that by starting the query with "SELECT TOP 1" and then continuing with the rest of the query.

0 Kudos