interesting. i'm asking because I'm seeing incomplete results from

select * from shell_history;

I would've presumed it'd be able to get the history for all users. I haven't seen anything from today

You need to

SELECT * FROM users JOIN shell_history USING (uid)

yeah I've done that too, same thing. I enabled historydatetime in the bash_profile of the user, and I get the last unix time stamp from yesterday (1587415304)

@zaibimed Osquery reads from all files with the following name convention:

.*_history

. So if your shell creates a file named

.bash_hst

or just

.history

it will not work.