Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

confused about the `overrides` key. My osquery.conf file basically is in this format:

options
   &lt;stuff&gt;
file_paths
   &lt;list of linux file paths&gt;
overrides
   platforms
      windows
         options
            &lt;same stuff as above&gt;
         file_paths
             &lt;windows file paths&gt;
          exclude_paths
             &lt;windows file paths&gt;
      darwin
          options
            &lt;same stuff as above&gt;
          file_paths
             &lt;mac file paths&gt;


When i start my daemon on a mac, i only see the linux file paths being loaded. My config is syntactically correct, osquery isn't barfing on it.

This concept of `overrides` is only a Fleet thing. When you provide this as the agent options in Fleet, it will provide the appropriate platform configuration to osquery when it checks in for config.

ahhh, okay so testing this locally wouldn't give the expected result?

That's right. You could convert everything in the `darwin` section to JSON and then provide that to osquery -- that would be essentially what Fleet does.

cool, okay i've done that and it works as expected. thanks!