https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi fleet team, does fleet support query running on...
# fleet
w
Hi fleet team, does fleet support query running on a given ip list?
k
You can use a host's IP address as a filter in the target picker. If you could give an example scenario, that would be helpful for giving you the best advice!
w
if i have a ip list like ipa, ipb, ipc
you mean i need pick each of them in UI one by one?
k
Would this be a group that you’d want to query together frequently, or as a one off? Is this a live query, or something you’d want to schedule? Where are those IP addresses coming from? Would you want to do this through the UI, the API, or fleetctl?
w
they could be very random query running
and i dont want to schedule it
ui api fleetctl, i think all of them work for me.
any suggestions? @Kathy Satterlee
k
I'll respond as soon as I can :) This is primarily a community-based forum and, while I do try to be as helpful as I can, I'm not always able to respond immediately.
What I'd likely do in this case is set up a script that would use the REST API to: 1. Create the query https://fleetdm.com/docs/using-fleet/rest-api#create-query and save the query ID 2. Loop over the list of IP addresses and fetch the host using the IP as 
query
to build an array of host IDs: https://fleetdm.com/docs/using-fleet/rest-api#list-hosts 3. Run the live query using the IDs collected in 1 and 2 https://fleetdm.com/docs/using-fleet/rest-api#run-live-query 4. (optionally) Delete the query https://fleetdm.com/docs/using-fleet/rest-api#delete-query
At least if this was something I was likely to have to do often enough to make selecting the hosts one by one in the UI inefficient.
w
do i need any certificate when icall this api?
k
You'd need to include an authorization header with a valid token.
w
so i just need to put the api token in the header when calling every api of fleet, right?
k
Correct. Anything but 
/login
uses that token to authenticate.
2 Views
Open in Slack
PreviousNext
Powered by