Troubles creating dynamic Device Group

I’m having a problem figuring out a specific device group I’m trying to create.

I have 3 device groups which have a subset of servers in them.

  • Core Critical Servers
  • Dev and Lab Servers
  • ITD Only Servers

I want to create a dynamic group that includes all servers, but excludes servers that are in any of the other 3 groups.

Do not work:

  1. devices.type = “Server” AND (device_groups.name != “Core Critical Servers”) AND (device_groups.name != “Dev and Lab Servers”) AND (device_groups.name != “ITD Only Servers”)
  2. devices.type = “Server” AND device_groups.name != “Core Critical Servers” AND device_groups.name != “ITD Only Servers” AND device_groups.name != “Dev and Lab Servers”

I’m not sure what I’m missing.

Thanks,
Joel

The table device_groups has no relation to devices directly, you’ll need to use device_group_device and match on the group ID instead of name.

I don’t see device_group_device as an option, do you mean device_groups.id? If so, how do I know what group ID the groups are - I don’t see a group ID column in my Manage Groups list.

Thanks for your assistance!
Joel

Yes. Correct

How do I know what ID the groups are, to use them in this query? I don’t see that information in Manage Groups.

EDIT: I was able to suss it out by creating a dynamic test group and iterating the group ID until I mapped them all out - not ideal but I got it.

However, using device_groups.id resulted in the same output. I don’t think there was an issue using device_groups.name, as creating a new group referencing that field would work. The issue must be with my query.

Thanks,
Joel

Further followup…

  1. I create a device group called “Core Critical Servers” and populate it (either static or dynamic)
  2. Servers are now part of that group as expected
  3. I create another device group called “Test” with the rule: device_groups.name = “Core Critical Servers”
  4. Servers are now part of that group as expected (exact same servers as “Core Critical Servers”
  5. I change the rule on the “Test” group to: device_groups.name != “Core Critical Servers”
  6. All devices are now a member of the “Test” group, it does not exclude the “Core Critical Servers” as I would expect.

It seems to be an issue with the “not equal” function.

Can anyone else verify that, or suggest what I’m doing wrong? The “device_groups.name” field appears to work just fine.

Thanks,
Joel

Looks like the table device_group_device isn’t available in alert rules for some reason, without a code change you can’t do what you want.

How would alert rules affect device group membership though?

For reference, I’m creating Device Groups
image

This group rule works, and ONLY contains the members of the “Core Critical Servers” static device group:

This group rule does not work, as it contains ALL devices, and does not exclude “Core Critical Servers” members:

Joel

Hi @JoelG ,

a similar topic has been discussed here recently: Dynamic group based on group membership - #3 by systeembeheerder

TL;DR: At the moment it is not possible to create dynamic groups that have an excerpt of something. Maybe you could create a feature request for that?

HTH!