Hi everyone does anyone know if there s a way to query a tab osquery #sql

Hi everyone, does anyone know if there's a way to ...

Kevin Wolfe

05/15/2024, 5:34 PM

Hi everyone, does anyone know if there's a way to query a table (e.x. "table-1234") by either a) constructing the table name somehow such as from parameters, something similar to one of the following:

SELECT * FROM "table-"+"1234"

SELECT * FROM CONCAT("table-","1234")

SELECT * FROM BASE64_DECODE("dGFibGUxMjM0")

b) referencing the table without using the table name itself, something like

SELECT * FROM TABLE.ID[4]

SELECT * FROM (SELECT name FROM osquery_registry WHERE registry='table' AND name LIKE "%%-1234")

Thanks!

Kevin Wolfe

05/15/2024, 5:56 PM

none of these are supported by SQLite natively so I was hoping there was something specific to osquery that'd work

05/15/2024, 5:56 PM

sqlite does support CONCAT() but the syntax is "||"

05/15/2024, 5:57 PM

https://www.sqlitetutorial.net/sqlite-string-functions/sqlite-concat/ look at the bottom "concat operator"

Kevin Wolfe

05/15/2024, 6:01 PM

it supports CONCAT but doesn't appear to allow using the output as a table name unfortunately :\

05/15/2024, 6:02 PM

to your specific question though, i don't think sql allows you to dynamically construct a table name in the FROM like that

Kevin Wolfe

05/15/2024, 6:09 PM

dang, that seemed to be the case but I was hoping there might be a way around it. thank you for the help anyways!

Kevin Wolfe

05/15/2024, 6:09 PM

if anyone does know a circuitous way for me to do this, hmu 🙏

05/15/2024, 6:10 PM

if the value is predictable you could set it as a "variable" in a CTE virtual table possibly

seph

05/16/2024, 2:37 AM

I’m not aware of way to do this.

seph

05/16/2024, 2:40 AM

Maybe you can do somewhere where you select from a bunch of tables, and include a column, and then filter on the column… But I’m not sure it’ll really work. Like:

Copy code

WITH _agg AS (
select *, 't1' as _t FROM table1
UNION
select *, 't2' as _t FROM table2
)
select * from _agg where _t = 't1'

But I see a lot of issues with that approach

fritz

05/20/2024, 6:25 PM

You can not dynamically declare tables using any method that i am aware of. I went deep trying to accomplish this in the past to solve for queries that had platform constraints (eg. call

apps

only if the device is a mac, call

programs

only if the device is windows, etc.)

Kevin Wolfe

05/21/2024, 9:03 PM

darn, well at least I'm satisfied now that I've exhausted all possible ways to do this. I'll try to figure out a different solution to my problem, thank you!

Open in Slack

Previous Next