Search Asset Tokens

activationDateactivationDate

Use a text value ##### to find assets based on the activation date.

Example

Find assets that are activated within certain dates.

activationDate: [2020-10-05 .. 2020-10-10]

Find assets activated on specific date.

activationDate: '2020-10-05'

agentService.osStatusagentService.osStatus

Use a text value ##### to find Linux assets based on the operating system (OS) status.

The OS Status value can be used to detect if the audit channel is locked or busy. Note that this agent status may get overwritten by a later status sent to platform by agent and hence the audit channel related error may not remain always visible.

Example

Find Linux assets with this OS status.

agentService.osStatus: "Q_AuditChannelBusy" or agentService.osStatus: "Q_AuditConfigLockError";

Select the token values from: Q_AuditNotPresent, Q_AuditInImmutableStat, Q_NeverTaskRuleExists, Q_SELinuxPackagesMissing

Examples
Find Linux assets with this OS status where the audit service is not in the running state.
agentservice.osStatus: Q_AuditNotPresent
Find the Linux assets whit the OS status where the SELinux packages are missing.
agentservice.osStatus: Q_SELinuxPackagesMissing
Find the Linux assets with the OS status where no FIM events will be generated.
agentservice.osStatus: Q_NeverTaskRuleExists

Find Linux assets with this OS status.
agentService.osStatus: "Q_AuditChannelBusy" or agentService.osStatus: "Q_AuditConfigLockError"

agentService.osStatus: Q_AuditChannelBusy
Audit channel is busy and fimc cannot access it

Example,
The audit channel busy error will occur if dispatcher=0 and auditd is already running (and hence, consuming the kernel's audit channel)

agentService.osStatus Q_AuditConfigLockError
Audit config is lock in environment.
Example,
Immutable and ConfigLockError should be the same. One being used by the old fimc (<v4.0) and the new one is probably added in 5.9

The OS Status value can be used to detect if the audit channel is locked or busy.
Note: This agent status may get overwritten by a later status sent to platform by agent and
hence the audit channel related error may not remain always visible.

For FIM prerequisite checks failed for Linux platform, you can use the following query.

agentService.osStatus:`Q_AuditNotPresent` or agentService.osStatus:`Q_AuditInImmutableState` or agentService.osStatus:`Q_NeverTaskRuleExists` or agentService.osStatus:`Q_SELinuxPackagesMissing`

agentService.statusagentService.status

Use a text value ##### to find assets based on the agent service status. (CONFIG_PROFILE_APPLIED, CONFIG_PROFILE_DOWNLOAD_SUCCESS, CONFIG_PROFILE_DOWNLOAD_FAILED, FIM_DRIVER_LOADED, FIM_DRIVER_LOADED_FAILURE, FIM_DRIVER_UNLOADED, FIM_DRIVER_UNLOADED_FAILURE, FIM_EVENTS_UPLOADED, FIM_EVENTS_UPLOADED_FAILURE, FIM_ENABLED, FIM_DISABLED, FIMC_RUNNING, FIMC_STOPPED).

Example

Find assets with this agent service status.

agentService.status: FIM_DRIVER_LOADED

agentService.updatedDateagentService.updatedDate

Use a text value ##### to find assets based on the agent updated.

Example

Find assets with agent updated within certain dates.

agentService.updatedDate: [2020-10-05 .. 2020-10-10]

Find assets with this agent update date.

agentService.updatedDate: '2020-10-05'

createdcreated

Use a text value ##### to find assets based on the date created.

Example

Find assets created within certain dates.

created: [2020-10-05 .. 2020-10-10]

Find assets created on this date.

created: '2020-10-05'

lastCheckedInlastCheckedIn

Use a date range or specific date to find assets based on the last check-in.

Example

Find assets with last check in within a specific date range.

lastCheckedIn: [2020-01-01 .. 2020-01-10]

Find assets with last check in starting 2019-11-01, ending 1 month ago.

lastCheckedIn: [2019-11-01 .. now-1M]

Find assets with last check in starting 2 weeks ago, ending 1 second ago.

lastCheckedIn: [now-2w .. now-1s]

Find assets with last check in on a specific date.

lastCheckedIn: '2020-02-11'

Find assets with last check in before (older than) last 30 days.

lastCheckedIn: <now-30d

Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT lastCheckedIn:[now-30d .. now-2s].

Find assets with last check in within last 30 days excluding day 30.

lastCheckedIn: >now-30d

Find assets with last check in within last 30 days including day 30.

lastCheckedIn: >=now-30d

Find assets with last check in which is older than last 30 days excluding day 30.

lastCheckedIn: <now-30d

Find assets with last check in which is older than last 30 days including day 30

lastCheckedIn: <=now-30d

operatingSystemoperatingSystem

Use quotes or backticks within values to find assets based on the operating system.

Example

Show asset for operating system.

operatingSystem: windows

Show any asset that contain parts of operating system name.

operatingSystem: "windows"

Show asset that match exact value.

operatingSystem: `windows`

manifest.statusmanifest.status

Use a text value ##### to find assets based on manifest status (FIM_ACTIVATION_REQUEST_RECEIVED, FIM_MANIFEST_DECOMMISSIONED, FIM_MANIFEST_ASSIGNED, FIM_MANIFEST_APPLIED_SUCCESS, FIM_MANIFEST_APPLICATION_FAILED, FIM_MANIFEST_ASSIGNMENT_FAILED, FIM_MANIFEST_PUBLISHED, NO_FIM_MONITORING_PROFILE_FOUND, QUEUED_FOR_MANIFEST_GENERATION).

Example

Find assets with this manifest status.

manifest.status: FIM_ACTIVATION_REQUEST_RECEIVED

manifest.updatedDatemanifest.updatedDate

Use a text value ##### to find assets based on manifest updated date.

Example

Find assets with manifest updated within certain dates.

manifest.updatedDate: [2020-10-05 .. 2020-10-10]

Find assets with this manifest update date.

manifest.updatedDate: '2020-10-05'

namename

Use quotes or backticks with value to find assets with the name you're interested in.

Example

Show any asset related to name.

name: localhost

Show any asset that contain parts of name.

name: "localhost"

Show asset that match exact name.

name: `localhost`

system.bootsystem.boot

Use a text value ##### to find assets based on the last boot date.

Example

Find assets booted within certain dates.

system.boot: [2020-10-05 ... 2020-10-10]

Find assets with this last boot date.

system.boot: '2020-10-05'

tags.nametags.name

Use quotes or backticks within values to find assets based on the tag name.

Example

Find assets with tag name.

tags.name: cloud

Find assets that contain parts of tag name.

tags.name: "cloud"

Find assets that match exact value.

tags.name: `cloud`

Searching FIM Asset Tokens

Use a text value ##### to find assets based on the activation status (True, False)

Use a text value ##### to find assets based on the activation date.

Use a text value ##### to find Linux assets based on http status.

Use a text value ##### to find Linux assets based on the operating system (OS) status.

Use a text value ##### to find assets based on the agent service code. (2001, 2002, 2003, 2004, 2007, 2008, 2009, 2010).

Use a text value ##### to find assets based on the agent updated.

Use an integer value ##### to find assets by agent UUID.

Use a text value ##### to find the assets with a agent version you're interested in.

Use an integer value ##### to find assets by agent ID.

Use a text value ##### to filter assets by the certain asset type.

Use a text value ##### to find assets based on the date created.

Use a text value ##### to find assets based on the netbios name.

Use a text value ##### to find assets based on the EC2 region.

Use a text value ##### to find assets based on the EC2 instance ID.

Use a text value ##### to find assets based on the EC2 hostname.

Use a text value ##### to find assets based on the EC2 availability zone of assets.

Use a text value #####to find assets with the MAC address you're interested in.

Use a text value ##### to find assets with an IP address (IPv4 of IPv6) you're interested in.

Use a text value ##### to find assets with the hostname you're interested in.

Use a text value ##### to find assets based on the interface name.

Use a text value ##### to find assets based on the user last logged in user.

Use quotes or backticks within values to find assets based on the operating system.

Use a text value ##### to find assets based on manifest ID.

Use a text value ##### to find assets based on manifest updated date.

Use quotes or backticks with value to find assets with the name you're interested in.

Use a text value ##### to find assets based on the last boot date.

Use quotes or backticks within values to find assets based on the tag name.

Use a boolean query to express your query using AND logic.

Use a boolean query to express your query using NOT logic.

Use a boolean query to express your query using OR logic.