Cole McDonald

  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Cole McDonald

  1. From the Device perspective, what do the three(?) elements of the sdtstatus mean? Looking at a device, I see "none-none-none" or something like "none-SDT-none" where one of the elements is replaced with SDT. @Sarah Terry?
  2. I've implemented this in the past as a dataSource for tracking number of failed connection attempts against a server over a 5 minute period. Powershell that grabs the last 5 minutes of 4625 from the windows security log where the message contains the status for bad username or bad password. It just returns a count rather than individual events. This let me drive a NOC widget of devices to show brute force intrusion attempts. This could potentially be added like a cluster alert using the existing eventSource though and help to combine individual events into a single actionable alert to
  3. I'm not sure where it came from. I'm no longer at Beyond Impact, so don't have access to that deployment any longer. I didn't actually perform the deployment of LM at that location, so I'm not sure how it got in the DS list there. It was originally written by an LM developer, but the code above should allow you to create your own implementation of it from scratch.
  4. Thanks guys. Will this allow me to add customProperties or am I locked into accessing existing customProperties?
  5. Has anyone had any success using the v2 of the REST API to push a PATCH to add a customer property to an object (in this case /device/groups/##### without wiping out any other custom properties that have already been set? We've run into a curious behavior while trying to add a property to feed out integration to our ticketing system. It seems to replace the whole of the custom properties object, not just the child object within the customproperties level of the json: { `"customProperties`" : [{ `"name`" : `"connectwisev2.companyid`", `"value`" : `"$($integrationID.Tr
  6. Here's the link: and yes? I don't quite recall how to have it return a NaN, but I have done it in the past, so I know it's possible. unkn() is a constant for it, that may have been how I did it... so: if(maxrtt>100,1,unkn()) ?
  7. If you have a website built that will take a URL structure that can be married to device/instance property values, you can have the alert generate the URL form the inciting instances properties to direct you to the appropriate page. You may need to build out a redirection page within your site that receives and interprets those URLs for you. ##DATASOURCE## might be the right token to use for building that decision/redirection tree.
  8. ACK should be removable if determined it was checked incorrectly by a user.
  9. That's what I've been doing currently. Any change to it though means you have to change, then distribute that change manually still. So it's pretty much set in stone once you've produced it at scale. The templating would be a way to make changes without having to take this process to that extreme.
  10. You would bring in the ping as a "do not display" value, then make a virtual datapoint that uses an if() to evaluate the >100 and return a NAN for the false condition.
  11. The alerts take you to a specific instance, so it should be possible. URL structure is this: https://<companyName><deviceInstanceNumber> You should be able to derive the instance # from the REST API... but you state that you're a bit of a novice. Might be ##system.instanceid## or just ##instanceID##
  12. My ability to edit the previous post timed out (annoying)... here's the final thing I was going for: if (get-date -format HH -eq 10) { if ( test-path "\\servername\C$\Path\To\File.txt" ) { write-output "1" } else { write-output "0" } } Just checks the 24hr Hour to see if it's 10. Have it fire once an hour.
  13. I don't specifically have a ready made one, but if you make a DS that "AppliesTo" a system.hostname=="oneOfYourCollectors" (make sure it's in the same domain as the resource with the UNC path you want to check). Then something like: if ( test-path "\\servername\C$\Path\To\File.txt" ) { write-output "1" } else { write-output "0" } as a powershell script should do the trick.
  14. With the issues we've been having with collector resource exhaustion, I've been thinking about ways to reduce the amount of dataSources that run on the collectors at any given time. It occurs to me that if there is a host down, all of the datasources are still trying to run against it and having to await timeout before releasing their resources on the collector. I'd like to submit that a Host down status should issue a partial SDT for the device that would prevent all but the host status datasources from running against that device. The host status change could then remove the SDT once it
  15. or for sites that place dashboards up on big NOC displays at the front of a call center.
  16. No such luck... could you verify that this is the correct URL structure for this @Forrest Evans - LM? Even being really pedantic about it still isn't taking it:,preferredCollectorId same error: Invoke-RestMethod : {"errorMessage":"custom property name cannot be predef.externalResourceID\ncustom property name cannot be predef.externalResourceType\n","errorCode":1404
  17. Thank you Forrest. As always, a font of great information. I assume from the reading that the default is "refresh" From the link above (to save folks some clicking): "opType=replace indicates that the properties included in the request payload will be added if they don't already exist, or updated if they do already exist, but all other existing properties will remain the same" I'll be putting this in place to day and I'll report back... hopefully with a new $data block for the script and calling it done!
  18. No updates from LM on this last point. It's the last piece I've got on this. I'm going to put it in place anyway as it works on the other ABCGs in our environment and doesn't do anything to the other when it fails due to the azure resources being REST API incompatible due to naming convention issues with their properties. I suspect it's just a miss and will magically start working at some point. (Again, this is where I point out that we're not liable if you implement this and it doesn't work in your environment). customProperties : {@{name=predef.externalResourceID; ...
  19. My thought for passing data from frame to frame was to write to temp properties of the dashboard and use them in the other widgets. I was going to use something like this to make a slicer so you could have a list of devices in a graph and select which ones you want to have show up.
  20. So... I'm on windows, your response came in as I was getting all of that code in there It'll be functionally similar for Linux. Not sure if it will work, but you may be able to install the Powershell core on your Linux collector to see if that will work there. (Free from Microsoft: ) (I don't know Groovy Script yet )
  21. #!!! Requires Credential Manager 2.0 from the repository !!!# Import-Module CredentialManager function Send-Request { param ( $cred, $accessid = $null, $accesskey = $null, $URL , $data = $null, $version = '2' , $httpVerb = "GET" ) if ( $accessId -eq $null) { $accessId = $cred.UserName $accessKey = $cred.GetNetworkCredential().Password } <# Use TLS 1.2 #> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolTyp
  22. You can grab historical data for an dataSource instance using the REST API. Once you've got the time range you want to evaluate, finding the Max should be relatively simple. Let me fish up a thread with how to grab those counters for you... I found my thread for tokenizing the return using powershell, but apparently, didn't include the data grab portion of the code in the thread