Stale & Duplicate devices
10 views
Skip to first unread message
Paul Siess
Apr 4, 2024, 11:29:30 AMApr 4
to velociraptor-discuss
We have ~1000 endpoints. VR is showing almost 5,000 devices including a lot of duplicates and stale devices.
Is there a simple way to remove all of the duplicates and offline devices without having to select and delete items from the device list?
Mike Cohen
Apr 4, 2024, 11:39:34 AMApr 4
to Paul Siess, velociraptor-discuss
Hi Paul,
You can use the client_delete() function to delete a client https://docs.velociraptor.app/vql_reference/server/client_delete/
To find clients that have not been seen in eg a week you can use the following query in a notebook
SELECT * FROM clients()
WHERE timestamp(epoch=last_seen_at) < timestamp(epoch=now() - 60 * 60 * 24 * 7 )
WHERE timestamp(epoch=last_seen_at) < timestamp(epoch=now() - 60 * 60 * 24 * 7 )
this will return clients that were last seen before now less a week
combining the two
SELECT client_delete(client_id=client_id, really_do_it=TRUE) FROM clients()
WHERE timestamp(epoch=last_seen_at) < timestamp(epoch=now() - 60 * 60 * 24 * 7 )
WHERE timestamp(epoch=last_seen_at) < timestamp(epoch=now() - 60 * 60 * 24 * 7 )
On Fri, Apr 5, 2024 at 1:29 AM Paul Siess <paul....@gmail.com> wrote:
We have ~1000 endpoints. VR is showing almost 5,000 devices including a lot of duplicates and stale devices.Is there a simple way to remove all of the duplicates and offline devices without having to select and delete items from the device list?
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/3264cae3-865e-4789-a91d-1b086635269fn%40googlegroups.com.
Paul Siess
Apr 4, 2024, 12:05:04 PMApr 4
to velociraptor-discuss
Here's the query I'm using: SELECT client_delete(client_id=client_id, really_do_it=TRUE) FROM clients() WHERE timestamp(epoch=last_seen_at) < timestamp(epoch=now() - 2592000)
I'm getting this error for each record: Symbol client_delete not found. Current Scope is: [NULL], [_SessionId, $cache, $device_manager, config, $acl, $uploader, Artifact, $root], [NotebookId], [$Query], [client_id, agent_information, os_info, first_seen_at, last_seen_at, last_ip, last_interrogate_flow_id, last_interrogate_artifact_name, labels, last_hunt_timestamp, last_event_table_version, last_label_timestamp]
Am I missing a plug-in?
Carlos Cajigas
Apr 4, 2024, 1:42:04 PMApr 4
to Paul Siess, velociraptor-discuss
Folks, 
Not sure if it helps, but I am also getting the same error
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/ca1b13c5-4cf9-4ff7-860d-adabb8bbfccbn%40googlegroups.com.
MSc, GCFA, GCFE
Mike Cohen
Apr 4, 2024, 8:38:46 PMApr 4
to Paul Siess, velociraptor-discuss
Please see this kb article https://docs.velociraptor.app/knowledge_base/tips/plugin_not_found/
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/ca1b13c5-4cf9-4ff7-860d-adabb8bbfccbn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages