Is threr a way to simply count the number of objects in a group?
(R77.30 and R80.x)
Old school method:
Please note that this method is very time consuming !
Well, for R80 you could use the management API and count the objects in the "members" column of the result of "show groups". Or you can use the script that I have written and linked here. After you have received the csv output just filter for a specific group name in the A column (when opening the csv in Excel) and you can count the hosts in column B. Tough this script does not work for Ipv6 objects - did not have the time and need to update it yet.
More solid solution that also works for IPv6 objects:
=> run "show groups details-level full --format json" via the management api
=> copy the output to your clipboard
=> paste it here or into an offline json viewer regarding any security concerns (I used test data and a cloud test instance for this example)
So for each group you will see the numbers after the "objects" section ~ marked green in the example
For each member of the group you will see numbers in the "members" section of the related group ~ marked red in this example
Keep in mind that there are default output limits of the management api that can be set via the "offset" and "limit" parameter, e.g. the first 50 groups (starting from 0) can be seen via:
mgmt_cli show groups limit 50 offset 0 details-level "full" --format json
The default value here is 50, so if you have more than 50 groups this needs to be changed (or you pull the data interval vise by changing the offset to +50 each time). If you just want the number of hosts for one specific group you can run:
mgmt_cli show group name "HERE_COME_THE_NAME" limit 50 offset 0 details-level "full" --format json
And then you follow the same procedure as above + check the numbers in the members section.
I don't have any clue for R77.30 as I never worked with pre R80 managament, sorry.
Tomer Sole This is actually quite funny in a not funny sort of way:)
Can you bump it to R&D to include the number in the Group Object's properties and, perhaps for mouse-over?
Thank you for the feedback.
For R80.10, in case that group is in a rule, you can click the rule and expand the members at the bottom "Details" tab.
In case you are interested with not just member count but actual IP ranges and non-IP objects including all nested members, we are bringing this with the API for the upcoming R80.20. You can already try it with the latest published Public EA for R80.20.
echo -e "print network_objects <NAME_OF_GROUP>\n-q\n" | dbedit -local 2>&1 | grep -roh "Table:" | wc -l
Just replace <NAME_OF_GROUP> with desired group and run this command from Management station (or from CMA itself).
Tested on R77.30 and R80.10.
I've seen your post above and have copied the string in my toolbox already:)
That being said, it really is the issue of having same capability in UI.
Reasons being that not all admins may have access to cli, but they may need to see and compare the number of objects in a group, for instance to see if something was added or removed without actually looking up individual objects.
There is also option to create script which will search all network groups on management and count objects in every of them. Maybe also list of these objects inside group
Since you've already done some scripting along these lines, would you look into possibility of modifying a script to create tags consisting of a group name and the object count and attaching them to the group objects?
Not sure if I got your request correctly, so could you please give me example what is exactly needed ? Thanks !
Enumerate the groups and the count of objects in those and pipe it into "add tag" or "set tag" so it'll tag the count to the group object. I.e.:
Would you like to have tag only with digits (1), or including timestamp ?
Because in case you will run script more times, you will have multiple tags with no meaning when it was checked.
Or some naming convention, like " <COUNT_OF_MEMBERS> - <DATE>".
Or delete all tags before checking and you will have only 1 tag with current count of all members of any group...
Long tag name shouldnt be used, as the purpose is to have simple word there...
Let me know your preffered way
EDIT: Nice finding - in case exactly the same tag is already in place for the group, it will NOT be added second time. It is valid only in case just digits should be added. For example during first run I had no tags, after script run I see there is new tag with the count of members in total (1 for example). In case I run the script second time, the tag will be not added (means objects is not modified), because the same tag is already there. On the other hand, it doesnt mean that 1 object wasnt added and 1 object wasnt removed from this group ...
Both approaches have their merits and shortcomings.
I.e. the verbose tag leaves less chances of being misinterpreted, but will not be able to show the number in the displayed portion of the tag, only in fully expanded or moused-over.
The short, numbers only tag, will be visible right away, but one cannot be sure how current the data in it is.
It may be better to have a # appended by the query time in the body of the tag, so that the number will be visible right away and by mousing over, we can see when it was discovered.
Additionally, and I am not sure if this is material, will the tag show the number of objects in published policies or installed? Also, we have to make sure that the older tags will get removed, otherwise we'll keep growing their number in perpetuity.
Thank you for running with this idea!
Okay, I will try to do it this way:
If group contains any tag with ONLY numbers, it will be removed. If there is no more tag with numbers, it will add new one tag with actual number of members in that group.
I have created script which will count members of every single network group and add this number as new tag of relevant network group.
Big thanks goes to Vladimir Yakovlev for his idea
I have tested my script in many cases and it works well. As I was doing it in my LAB where I have only 5 network groups, it would be great if someone can test it before I will post it into Developers section.
Thanks for every feedback.
I'll give it a shot as soon as I rebuild my lab environment: just had to donate my servers to the client who borked the firmware upgrade on their IBMs.
Retrieving data ...