Is there a trick to being able to look at osquery schedule data using osqueryi? We are writing our results to Fleet, then to Splunk so I know we have the data, but osqueryi does not return data when running

SELECT * FROM osquery_schedule;

Is this by design and how can I look at the schedule data from the interactive shell?

You can't. This is by design, but not intentional. The schedule information is stored in rocksdb and only one process can have this open at a time. The best way to address this is to live query or schedule a query for the

osquery_schedule

table.

got it, thanks. are there other tables where this is true @zwass?

Yes, any event-based tables (_events)

got it, thanks

I’ve always wanted a feature to do this type of “debugging” with osqueryi