https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi all, Running into a `constraint failed` error w...
# fleet
z
Hi all, Running into a 
constraint failed
error when querying the 
windows_eventlog
table from fleet. After some troubleshooting I found that 
channel
is a required constraint in the WHERE clause, which I have added but still get the same 
constraint failed
error. is there another required constraint when querying 
windows_eventlog
? Any help is greatly appreciated!
k
Hi @zhong ! Can you share the query in question?
z
Copy code
SELECT datetime, computer_name, json_extract(windows_eventlog.data,'$.EventData.ParentProcessName') as 'Parent' from windows_eventlog where eventid = '4688' and channel = 'Security'
and json_extract(windows_eventlog.data,'$.EventData.ParentProcessName') like "winword.exe"
and json_extract(windows_eventlog.data,'$.EventData.NewProcessName') = "C:\Windows\System32\wbem\WMIC.exe"
or json_extract(windows_eventlog.data,'$.EventData.NewProcessName') like "excel.exe"
or json_extract(windows_eventlog.data,'$.EventData.NewProcessName') like "outlook.exe";
k
Try ‘source’ rather than ‘channel’.
z
Returned 
no such column: source
k
I may have checked the wrong table :) one sec.
Reaching out for a hand. bear with me!
Try removing the quotes around 
eventid
. It could be that it isn't getting parsed properly as an integer.
z
still got 
constraint failed
😓
k
Does a simpler query without the json extraction work?
Copy code
SELECT datetime, computer_name from windows_eventlog where eventid = 4688 and channel = 'Security'
z
yes! just tried running this query
Copy code
SELECT datetime, computer_name, json_extract(windows_eventlog.data,'$.EventData.ParentProcessName') as 'Parent' from windows_eventlog where eventid = 4688 and channel = 'Security';
and was able to get results
k
Brilliant! You can go from there to start layering the additional clauses on and see what happens!
z
Thank you!!
k
@zhong Did you get this sorted? I'd love to know what the culprit was.
z
yes! error came down to syntax. using 
or
resets the constraints set before so in the end, i had it working with:
Copy code
SELECT datetime, computer_name, json_extract(windows_eventlog.data,'$.EventData.ParentProcessName') as 'Parent' from windows_eventlog where eventid = '4688' and channel = 'Security'
and json_extract(windows_eventlog.data,'$.EventData.ParentProcessName') like "winword.exe"
and (json_extract(windows_eventlog.data,'$.EventData.NewProcessName') = "C:\Windows\System32\wbem\WMIC.exe"
or json_extract(windows_eventlog.data,'$.EventData.NewProcessName') like "excel.exe"
or json_extract(windows_eventlog.data,'$.EventData.NewProcessName') like "outlook.exe");
the parenthesis ensures that it keeps the previous constraints
k
Nicely done! SQL can be a bear.
7 Views
Open in Slack
PreviousNext
Powered by