I have a question for the group about OSQuery timestamps in

Question

I have a question for the group about OSQuery timestamps in particular Im trying to understand the timestamps for respective command line entries in the shell history table Sometimes I get data back that has an empty string for the `time` value If 0 is the default why would this show as empty ``` ``` This is causing problems for us because we are receiving alerts on command line events that realistically occurred more than 1 year ago and have already been worked and triaged but we can t make that determination just by looking at the shell history table We have thought about using file integrity monitoring on shell history files in order to get access to the file events table data and combine the two tables to give an idea about the last time the shell history file actually modified but this seems like overkill and I was hoping someone might have a more elegant solution

Mike Myers · Answer

probably a bug this line could be the cause <https github com facebook osquery blob master osquery tables system posix shell history cpp L64>

Joe Bussing · Answer

thanks

thor · Answer

Yeah that line should probably be something like `r time = timestamp empty INTEGER 0 INTEGER timestamp `