Hello Fleet, in the fleetdm docs, it mentions that the api endpoints for queries, particular one api for “run live query” can provide real time results in the API response. https://fleetdm.com/docs/using-fleet/rest-api#run-live-query We’d like to know if fleet has any api endpoint could provide historical results (at least the latest results) for scheduled queries. fleetdm.com REST API | Fleet documentation Documentation for Fleet for osquery. fleetdm.com REST API | Fleet documentation Documentation for Fleet for osquery. If this isn’t the case, what would be your suggestion to pull results, from a both logging and automation perspective?

Hi @frederick ferby! The results for scheduled queries are included in osquery results logs. You can pipe those through to the logging destination that best works for you and ingest them from there.

Thanks for the speed reply, Does using fleet charts change that path grab the logs? https://github.com/fleetdm/fleet/blob/main/charts/fleet/values.yaml Based on the values file the default is /logs or is there another location in charts this can be found?

Hi, sorry for adding additional question here. Looks like one single result log file contains results from all scheduled queries. Is this expected? I was under the impression that I can easily filter and ingest logs from selected queries, but this way it’s more difficult.

Apologies, @Jiayu Chang. I didn't see this! Yes, when logging to the filesystem, all logs are stored in one file. Otherwise, things could rapidly become unmanageable. For ease of ingestion, you can forward those logs to a logging destination that allows you to easily filter data.