Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
u
Usama Nathani
11/17/2020, 9:02 PMHi Guys, I had a question. If a table is empty and not populated, does using SELECT * from TABLE; give an empty table or no output at all?
m
Mike Myers
11/17/2020, 9:18 PMall tables' contents are generated in response to the query, so the table doesn't exist anywhere in memory or anything, it doesn't exist until you query
🙌 1
unless it's an evented table, in which case the events are being spooled all the time, and then querying the evented table does empty some or all of the spool depending on your settings
u
Usama Nathani
11/17/2020, 9:51 PMOkay thank you! I am currently trying to enable yara_events for windows, and since the table is not being populated (still testing), it will give an empty output correct?
m
Mike Myers
11/18/2020, 6:39 AMyes, you might want/need to create a test file that is expected to trigger a yara rule, to make sure it's working
u
Usama Nathani
11/19/2020, 12:32 AMperfect, thank you 🙂