Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi there,
I have a very simple use case: I need to fetch latest 100 log entries from `unified_log` table.
However, the problem is that this table returns data from earliest to latest and in patches of 100, so using "ORDER BY" does not work as expected for the entire data. Even if I try to use a normal query or paginate the response, it still fetches older data first.
Is there a way I can achieve this? (*Fetch latest 100 logs from Unified logs*)
Thanks !!

I think it's not supported because the table hardcodes the direction to be ascending <https://github.com/osquery/osquery/blob/master/osquery/tables/system/darwin/unified_log.mm#L335-L342|here>. You could try making a PR to make that configurable with a new column (though not sure how it should interact with "timestamp &gt; -1" behavior, probably just don't support combining those).

My suggestion for now would be selecting from say the last second (`timestamp &gt; (select unix_time - 1 from time)`)

Oh the other pointer is that `max_rows` can make it load more than 100 rows at a time to sort by. But I've had some trouble getting queries over this table working reliably at scale without hitting resource limits osquery watchdog sets because the log can have really high volume on some machines