Query Considerations: How to frame your queries to work for you

Deciding how to frame a query can be frustrating. Narrowing down ideas to get what you want can be challenging because we conceptually know what we want but we struggle to get to where we want to be. 

There are so many different ways that we can slice queries so we will narrow down this conversation to looking up workstations. Conceptually speaking, Windows workstations are pretty easy to find. However, read below so you get an idea of the positives and negatives of different framing options and decide which works for your needs.


Terminology: When we use the term “positive / positive” OR “positive / negative” what I am referring to is that we define a specific subset in a positive manner (IE. OS: TYPE == Windows) and then the micro focus is either specific to a group of Operating systems (IE. OS: DISTRIBUTION == 10)  or omits specific operating systems (IE. OS: Distribution does not contain “server” ).


(Positive/Positive) Super Granular approach – Many organizations have a good idea of what OS’s they have. They want to put in every possible workstation they can think of (XP/CE/Vista/8.1/7/8/10).

Benefits to this method: The primary action here is that you are looking for all devices that meet specific criteria. You know what you have, and you are going after this. This is helpful in the case where you may want to omit a certain OS or variable.

In the past (long past), prior to XP being a dinosaur, we found that there were a couple devices that we had that were controller panels for the elevator shafts that were considered “server/controller” type devices, but had Windows XP on them. This was a terrible thing from a vulnerability standpoint, but from an asset management perspective it was no big deal. We had to remove these by hand, and it was painful. In this case, you could simply say you know what the XP devices are and you are not including them.

Things to watch out for: Make sure you do an assessment of all operating systems that exist. If you know there is no chance that a rogue older OS will come on the system, save a query with just windows devices. Just know that when using this method devices that you don’t know about will not be shown.

From there you can go to the dashboard and create a field segmentation chart like the one below:

There are a few things to note here:

  1. I chose the chart presentation: pie chart as when you click the box icon in the corner

you get 10 entries with this one

vs 4

    2. Make sure to click on the “include entities with no value” as if there are devices that have a null value, they          will show here. This comes into play in a few minutes.


(Positive/Negative) The Everything-but Approach – the positive/negative approach is one that is more set for users who have a strong understanding of what they would like to see but there are chances they may see rogue devices on the network with older OS or not specific variables.

The main reason we would use the positive/negative approach would be due to wanting a quick and non-specific query that picks up everything outside of a certain criterion. Many people like to use this method for workstations; however, it can present the need for exclusions if you are not careful.

When looking at workstations, many feel it that may be easier may be to pull in the Preferred OS Type {equals} Windows [and] Preferred OS Distribution *does not* {contains} "server".

Benefits to this method: As mentioned earlier, this allows users to cast a wide net to pick up all devices that are not specific for a certain type of Operating System / Host Name / Etc.

Great use cases for this are to see all domains that are not xyz.

As mentioned prior, it is always a solid direction to set up a dashboard query to doublecheck your data. It will allow you to know that you are getting what you need in a simple to understand way.

Things to watch out for: There is a really specific caveat to this type of search that you need to be aware of:

  • Preferred fields: generally speaking preferred fields will propagate if there is good data feeding the preferred field. In some cases though, the preferred fields will be blank due to not enough information to query against. In those cases, if you do the Positive/Negative Approach, you will find yourself in a place that you pick up blank preferred fields as well.
    • As result, you potentially could get a server in a workstation query, if you are not careful.
    • Remember that in many cases, if you are specific about a field, you will get only that field. If you are focused on excluding fields, you will get EVERYTHING, including blank or null values.
      • This is especially important when looking at everything that is not in a date range. If you have a specific field that has no last seen date due to details brought in, you will get null dates if you omit [last seen not 0-30 days] in your query.
  • Non-Preferred Fields: this caveat applies for the positive/positive approach in the mirror opposite way. Be mindful that sometimes one adapter will call out Server 2008 while another calls out Windows 10. There is a fundamental fix that needs to take place, however, if you are in a spot where you have two fields and you look to omit “server” from the list, you may find yourself omitting actual good data from the mix.

I would highly advise that you do a query to look for devices that have multiple operating systems and clean them up, however, in cases where you may be doing a user query and looking at the username, you may find yourself with 3 different entry types. Be mindful of how you do your query.


This article is really meant to spur you to think through the way you are looking at things. The primary points we are looking at were the:

  • positive/positive approach - where you set a high-level criterion and define it granularly from there)
  • positive/negative approach - where you set the base criteria and exclude what you do not want)

We did not talk about the negative/negative approach as there are use cases but with the examples at hand, they are few and far between.


  • Check your findings regardless. It is quick and easy and you can rest assured that you have what you need.
  • Remember that null values will come with positive/negative exclusions. You can always fix this though if you add that the [xyz value exists] .
  • Map out what you want your outcome to be. If you know you will have many new fields, use a positive/negative approach.
    • If you know you want to look at specific fields, go with positive/positive.
  • If you want to view your data, consider using the pie chart. It is limited to 100 entries but you can click in the bottom left column and see 10 outputs vs 4. Keep in mind though that you can export to csv with the bar chart and not the pie so if that if your focus, stick with the bar. 
  • Ask your TAM for any pointers if you get stuck. We love working with our customer base and are always happy to help wherever we can.



Please sign in to leave a comment.

Didn't find what you were looking for?

New post