Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 23 replies
  • Subscribers 0 subscribers
  • Views 76671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SQL - How to remove duplicate entities from SEC

RRR

Hi there, its summer time, so maintenance time. I'm trying to remove deprecated computers from the SEC SOPHOS521 database using an SQL query that can get rid of hundreds of duplicates.

Our naming scheme for computernames is the following:

RoomNumber-Servicetag/Serial-Make

If a computers is renamed (or reimaged or when it receives an OS upgrade) the computername sometimes changes even though the Servicetag/Serial part stays the same. Sophos doesn't always recognize that this is the same entity thus creating duplicates that never Update and show up as Unknown and what not. Console clutter that distracts from the real issues!

Example:

old name: 506-TKJFREP-D

new name: ROAM-TKJFREP-D

or

old name: ROAM-0445001-H

new name: GH-0445001-H

The only constant is the Servicetag which is exactly 7 character (either letter or numbers) and that there is a dash encapsulating it. And the last character of the computername is always only one (1) character.

Right now I have the ability to find duplicates with the exact same name using the following SQL query:

SELECT c.Name,
	c.Description, 
	c.DomainName, 
	c.OperatingSystem, 
	c.Managed, 
	c.Deleted, 
	c.Connected,
	c.SAVOnAccess,
	c.LastMessageTime,
	c.insertedat, 
	c.IdentityTag,
	c.IPAddress,	
	c.QuarantineCount,
	c.LastLoggedOnUser,
	c.MessageSystemAddress,
	cgm.GroupID
FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
    inner join [SOPHOS521].[dbo].[ComputerGroupMapping] as cgm on cgm.ID = c.id
WHERE c.Name in(
	SELECT c.Name
	FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
        WHERE Deleted = 0
	GROUP BY c.name
	HAVING ( COUNT(c.name) > 1 )
)
order by c.name

This is done regularly and spitting out about 20 duplicates each month which I then delete manually from SEC.

Now, how would I change this query to find and automatically delete the entities that have different computernames, but the same Servicetag/Serial based on last report date (c.LastMessageTime)? Both LastMessageTimes would need to be compared and the one that is more recent stays while the other, older one gets deleted.

Jak for the rescue.

:50158


This thread was automatically locked due to age.
  • 0

    Hello RRR,

    not something by Jak,  not even a solution or automated but a q&d change to perhaps get a list of the computers in question:

    SELECT c.Name,

    SUBSTRING(c.name,LEN(c.name)-10,9) as ServiceTag

    	 c.Description,

    then replace all c.name in the WHERE clause with SUBSTRING(c.name,LEN(c.name)-10,9) and finally change the order by to order by SUBSTRING(c.name,LEN(c.name)-10,9), c.LastMessageTime.

    BTW: with delete the entities you mean just flagging them as deleted or removing them from the database?

    Christian

    :50174
  • 0

    Awesome. Thanks QC, I'll give it shot.

    I try to minimize the SOPHOS DB and remove not needed info thus I'm going to completely remove them from the DB. Any objections why this would not be a good idea?

    :50190
  • 0

    Gosh, I knew it. 3754 rows. Divided by 2 = around 1850 double entities (some have three prefixes, i.e. they have been renamed three or more times.)

    I had to change the LEN function from -10,9 to -9,9 since -10,9 resulted in one additional character in front of the first dash. Thanks so much QC for leading me in the right direction. 

    -9,9 gives me exactly the format I need: "-Servicetag-"

    Now I still need to figure out how to delete the older entities (based on a comparison who reported last). Grübel....

    :50196
  • 0

    To the OP and anyone else reading this thread there is PurgeDB.exe for clearing down the DB (without SQL - obviously SQL was requested originally :smileywink:).

    http://www.sophos.com/en-us/support/knowledgebase/110733.aspx

    :50240

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Yes, I run the PurgeDB util for maintenance reasons once in a while too: "C:\Program Files\Sophos\Enterprise Console" PurgeDB.exe -action=purge -category=computers -HistoryLengthInDays=90 (3 months). But afaiu it only purges/deletes already deleted computers. The problem I have is that I have about 1800 duplicated entities in the DB and these need to be deleted first before I can further purge/delete with PurgeDB. Right now I'm stuck since I'm not sure how to filter out and delete these duplicate  in an SQL query and .

    The current query works perfect (with help of QC) to show the duplicates:

    SELECT SUBSTRING(c.name,LEN(c.name)-9,9) as ServiceTag,
	c.Description, 
	c.DomainName, 
	c.OperatingSystem, 
	c.Managed, 
	c.Deleted, 
	c.Connected,
	c.SAVOnAccess,
	c.LastMessageTime,
	c.insertedat, 
	c.IdentityTag,
	c.IPAddress,	
	c.QuarantineCount,
	c.LastLoggedOnUser,
	c.MessageSystemAddress,
	cgm.GroupID

FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
    inner join [SOPHOS521].[dbo].[ComputerGroupMapping] as cgm on cgm.ID = c.id

WHERE SUBSTRING(c.name,LEN(c.name)-9,9) in(
	SELECT SUBSTRING(c.name,LEN(c.name)-9,9)
	FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
	GROUP BY SUBSTRING(c.name,LEN(c.name)-9,9)
	HAVING (COUNT(SUBSTRING(c.name,LEN(c.name)-9,9)) > 1
	)
)
order by SUBSTRING(c.name,LEN(c.name)-9,9), c.LastMessageTime

     I would need to go through this list manually and then compare the 'LastMessageTime' and based upon the timestamp I would delete the older entry.... which is not feasible. It would need to be automated. Any more ideas?

    :50244
  • 0

    Well looking at this article...

    http://www.sophos.com/en-us/support/knowledgebase/34657.aspx

    ...and this command...

    http://www.sophos.com/en-us/support/knowledgebase/34657.aspx#nonreportingcomputers

    ...the command to select non-reporting computer would be...

    sqlcmd -E -S .\sophos -d sophos52 -Q "select name from computersanddeletedcomputers where managed=1 and lastmessagetime<'MM/DD/YYYY'" > C:\nonReportingComputerList.txt

    So the unsupported, backup your DB first, this won't ever be officially tested and supported but some do do it, delete command would be...

    sqlcmd -E -S .\sophos -d sophos52 -Q "delete from computersanddeletedcomputers where managed=1 and lastmessagetime<'MM/DD/YYYY'"

    Try running the select on a copy of the DB and see how it suits then try the delete.

    :50256

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    This answer seems to be off-topic or at least not suitable for my case, but thanks anyways. Maybe I have to re-cap: I'm trying to remove duplicate computers from the SEC DB based on 2 criteria:

    * Same ServiceTag and

    * 'LastTimeReported' (I want to keep the computer that - comparing both 'LastTimeReported' values - reported last)

    :50288
  • 0

    Hello RRR,

    I'd like to help but I'm a SQL ἰδιώτης. Guess it could even be done using pure SQL (without resorting to procedures) but it's definitely not a simple as it might seem on the first glance. Likely involves some joins and ...

    BTW: Fiddling with the database is unsupported (I know that you know but there are other readers)

    I'd just select the essential colums (ID, Name, LastMessageTime and the ServiceTag) to a (CSV) file. As SQL has done the grouping and sorting it shouldn't be too hard to write a script which picks out the "current" entries and constructs a DELETE from the remaining. It would concatenate the ID values to construct a SQL statement like

    DELETE FROM ComputersAndDeletedComputers WHERE ID IN (67, 69, 74, 78, ...)

     If you want we can continue this on the other board or by PM.

    Christian

    P.S.: I had to change the LEN function ... ah, a thousand reasons, all of them excuses :smileywink:     

    :50342
  • 0

    I could get a couple of SQL gurus here to take a shot (and hit the bull - if they have 10 minutes free) but I'd need a copy of the DB so we can prove it works.  If you're willing to forward that I'll see what I can do.

    :50348

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    State Testing has started. We are carzy busy fixing issues and I don't have time right now.

    The SEC DB is 600MB. Would I need to upload it to ftp.sophos.com at some point?

    :50400
Unfiltered HTML