how to add agents group in all fields
Dhiren Chavda
Md. Nazmur Sakib
Hi Dhiren,
Currently, there is no agent group field available for all wazuh-states-* indexes, and that’s why we cannot apply filters based on the agent group. We cannot add an agent group or label field in these indices easily, because these indices work differently from the wazuh-alerts index. Right now, these fields are only available for the wazuh-alerts index and cannot be used for the wazuh-states indexes.
As a workaround, we can apply a DSL query in the Wazuh dashboard to show a group of agents’ details in the dashboard that uses the wazuh-states index.
To apply the filter, on the Wazuh dashboard, click on the Add filter option on the top left > select Edit as Query DSL, then add the query like below:
{
"query": {
"bool": {
"should": [
{
"match_phrase": {
"agent.name": "Ubuntu-Test-server"
}
},
{
"match_phrase": {
"agent.name": "BONY_LOQ"
}
},
{
"match_phrase": {
"agent.name": "win10"
}
}
],
"minimum_should_match": 1
}
}
}
You should add each agent name, like above, in the agent.name field.
Then click Save to apply the filter.
Then, if you need to reuse this query, you can save this filter as a query. For that, click on the Save icon on the left corner of the search bar > Save current query > add a query name > make sure Include filters is enabled > click Save.
.png?part=0.1&view=1)
You can also use a similar filter in the custom dashboard to create a custom view.
Then you can use this saved query every day if you need to view only a group of agent details. I know this is a tricky one; I will let you know if I find any other solution.
We have added a feature request on this to consider this in future releases. You can also share your feedback on this feature request.
https://github.com/wazuh/wazuh/issues/32193
Let me know if you need any further information.