Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 23 replies
  • Subscribers 0 subscribers
  • Views 76673 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SQL - How to remove duplicate entities from SEC

RRR

Hi there, its summer time, so maintenance time. I'm trying to remove deprecated computers from the SEC SOPHOS521 database using an SQL query that can get rid of hundreds of duplicates.

Our naming scheme for computernames is the following:

RoomNumber-Servicetag/Serial-Make

If a computers is renamed (or reimaged or when it receives an OS upgrade) the computername sometimes changes even though the Servicetag/Serial part stays the same. Sophos doesn't always recognize that this is the same entity thus creating duplicates that never Update and show up as Unknown and what not. Console clutter that distracts from the real issues!

Example:

old name: 506-TKJFREP-D

new name: ROAM-TKJFREP-D

or

old name: ROAM-0445001-H

new name: GH-0445001-H

The only constant is the Servicetag which is exactly 7 character (either letter or numbers) and that there is a dash encapsulating it. And the last character of the computername is always only one (1) character.

Right now I have the ability to find duplicates with the exact same name using the following SQL query:

SELECT c.Name,
	c.Description, 
	c.DomainName, 
	c.OperatingSystem, 
	c.Managed, 
	c.Deleted, 
	c.Connected,
	c.SAVOnAccess,
	c.LastMessageTime,
	c.insertedat, 
	c.IdentityTag,
	c.IPAddress,	
	c.QuarantineCount,
	c.LastLoggedOnUser,
	c.MessageSystemAddress,
	cgm.GroupID
FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
    inner join [SOPHOS521].[dbo].[ComputerGroupMapping] as cgm on cgm.ID = c.id
WHERE c.Name in(
	SELECT c.Name
	FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c
        WHERE Deleted = 0
	GROUP BY c.name
	HAVING ( COUNT(c.name) > 1 )
)
order by c.name

This is done regularly and spitting out about 20 duplicates each month which I then delete manually from SEC.

Now, how would I change this query to find and automatically delete the entities that have different computernames, but the same Servicetag/Serial based on last report date (c.LastMessageTime)? Both LastMessageTimes would need to be compared and the one that is more recent stays while the other, older one gets deleted.

Jak for the rescue.

:50158


This thread was automatically locked due to age.
  • 0

    I've created a case so I can email out ftp credentials.

    Is the MDF and LDF combined 600MB?  Is the LDF the larger part of that?  If so I'd recommend shrinking it, then zipping the files and then upload them.

    :50402

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    The MDF is 830MB and the LDF is 12MB. I had to set the SQL database "Recovery Model" mode "Full" to "Simple" because I was running out of diskspace due to an exorbitant size of the LDF (4 GB and higher if I remember correct).

    I create backups of the DB 3 times a week using the built-in SQL Server "Management Tasks" that spits out (after shrinking and such) a 600MB .BAK file.

    Thanks for creating the case.

    :50408
  • 0

    Post back on the fourm when you have uploaded - I won't be checking the case itself for updates.

    :50410

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Just uploaded the DB and replied to the support ticket. Well I also just re-read this thread and saw QC's remark that fiddling with the DB is not supported :( Well, let's see if the SQL gurus look at it. If they can figure something out it could be added to the SEC GUI as I imagine that I'm not the only one with this problem of excessive double entities in the DB.

    :51434
  • 0

    Hello RRR,

    QC's remark

    there's unsupported (we've never said it'll work) and unsupported (don't come crying for help if you do it and break something). There's also not supported and not available with Basic support. I want to avoid that a discussion gives rise to the impression we're talking about regular administration and/or approved procedures :smileyhappy:.

    something [...] could be added to the SEC GUI

    I have no idea how this something could work especially from the GUI. Essentially it boils down to a View with (very) complex (user definable) selection criteria - something that might be a challenge to be built into a graphic interface (see Data Control). What about a neural network (The new ones go into the pot, the old ones go into your crop) :smileyvery-happy:

    Christian

    :51442
  • 0

    The command you want is probably this...

    Caveats:  You can change to a 'delete' when required as the SQL below currently just does a select; please check it's pulling out the right computers and test yourself; consider this informational and not tested. :smileyhappy:

    SELECT ServiceTag, LastMessageTime FROM

    (

    SELECT SUBSTRING(c.name,LEN(c.name)-9,9) as ServiceTag, c.LastMessageTime, 

    ROW_NUMBER() over ( partition by SUBSTRING(c.name,LEN(c.name)-9,9) order by c.LastMessageTime DESC) as Ranking

    FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c

        inner join [SOPHOS521].[dbo].[ComputerGroupMapping] as cgm on cgm.ID = c.id

    WHERE SUBSTRING(c.name,LEN(c.name)-9,9) in(

    SELECT SUBSTRING(c.name,LEN(c.name)-9,9)

    FROM [SOPHOS521].[dbo].[ComputersAndDeletedComputers] as c

    GROUP BY SUBSTRING(c.name,LEN(c.name)-9,9)

    HAVING (COUNT(SUBSTRING(c.name,LEN(c.name)-9,9))> 1

    )

    )

    ) aaa

    WHERE Ranking<>1

    ORDER BY ServiceTag

    :51448

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Oh, and just to add it you select the inner part of the SQL you get to see the ranking column and the row with '1' should always be the current/active endpoint with any 2's, 3's, etc. being the duplicates.

    Example:

    2014-06-27_14-30-32.png

    :51452

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Good: This seems to work :claphands: showing 1610 rows.

    Bad: It doesn't show me the Ranking column and it should be around 1800 duplicates. It only spits out single servicetags (1610 rows) even though your screenshot shows duplicates and triplicates (or triplets?!)... I guess the ranking for some reason doesn't work at all. I have to go. Will test when I have more time. Maybe any ideas why the ranking is not working here?

    Thanks so far. That what really helpful.

    :51586
  • 0

    Hello RRR,

    the "full" statement (from this post) SELECTs only ServiceTag and LastMessageTime for the rows WHERE Ranking<>1. Thus there should be a few duplicates (if ruckus' screenshot shows "your data" at the latest in rows 64/65).

    You'll get the output shown in the screenshot (assuming you're using the Management Studio) by selecting the inner block exactly as shown and pressing F5 (or clicking Execute).

    The 1610 rows are the n-plicates, significantly less than the expected 1800+. The sophisticated statement should not select less data than the q&d one (at least I can't see a reason). Please check if the "inner" statement spits out the 3700+ rows, run also the q&d SELECT.

    Christian

    :51600
  • 0

    QC your suggestion worked. I highlighted it (as shown on screenshot from Ruckus) and it now shows the Ranking. Thanks for the clarification. Sometimes it needs more than a screenshot to make it fool-proof (not a SQL guru here!).

    The 'inner' (highlighted) statement spits out 3216 rows and shows the Ranking.

    The complete statement (from this post ) spits out 1610 with no Ranking column; however it just shows (as requested) the entities that have an earlier 'LastMessageTime' (aka deprecated) than the one with Ranking 1.

    Works perfect as far as I can tell. Marked as Solution :)

    Note: When fiddling with the Ranking I get a breakdown of the n-plicates... Not as bad as I thought since there are only 4 entities that triplets:

    Ranking > 3 shows 0 entities

    Ranking = 3 shows 4 entities

    Ranking = 2 shows 1606 entities

    :51630
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML