Sub-group results for a Multi-Group Summary table query do not display in the expected sorting order
Last Modified: 2022-03-21 20:10:20 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Sub-group results for a Multi-Group Summary table query do not display in the expected sorting order
Technical Articles ID:
KB89604
Last Modified: 2022-03-21 20:10:20 Etc/GMT Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Problem
With Multi-Group Summary table queries, it is possible to sort each group using a separate sorting criteria. For example, Label (A-Z), Label (Z-A), Value (Descending), Value (Ascending), or Oldest first. When sorting a group by Value (Descending or Ascending), any group below the group sorted by value appears to follow the parent group sorting criteria. For example, if you build a Multi-Group Summary table and choose Event ID for the parent group and sort by value (Descending), and then Threat Name for the child group and sort this by value (Ascending), you might expect to see results like this:
But instead, you see results like this:
Cause
This happens because on the back end, SQL is grouping multiple results and then ordering the grouped results (which it must do in order to produce the multi-group summary table). For example, when sorting the results of an SQL query, an Order By clause is used. When using the Order By clause, by default, this orders results alphabetically from A-Z. However, when selecting the sort order of Value within the query builder in ePO, this causes SQL to use the Order By clause with a count condition, which is then applied to all results that follow. There is no way within SQL to order by count and then reorder alphabetically, so any group sorted by value will then cause the remaining groups to be primarily sorted by value. If there are, by chance, any two results that have the same value and are in a sub-group of a parent sorted by value, these two sub-group results will then be sorted by the sort criteria chosen in the query builder. Solution
This behavior is by design, based on the underlying functionality of SQL. Future versions of ePO might amend the instructional text to explain this more clearly. Affected ProductsLanguages:This article is available in the following languages: |
|