Cross posting from #general as this seems more suitable 🙂 https://osquery.slack.com/archives/C08V7KTJB/p1652368962439879

Do you get a response at all or does it timeout? Note that you will not get a response back until

FLEET_LIVE_QUERY_REST_PERIOD

time has elapsed (default 25s)

The first link there -> the parameters for the endpoint were incorrect but I've managed to figure out what was required. Now I can get:

{'campaign': {'created_at': '0001-01-01T00:00:00Z', 'updated_at': '0001-01-01T00:00:00Z', 'Metrics': {'TotalHosts': 1, 'OnlineHosts': 1, 'OfflineHosts': 0, 'MissingInActionHosts': 0, 'NewHosts': 0}, 'id': 687, 'query_id': 22757, 'status': 0, 'user_id': 19}}

Showing a campaign has been created... however I'm not seeing any way of actually pulling those results 😬

hmm, let me investigate and get back to you. Maybe our docs are out of date

I can see the UI uses something along the lines of

/api/v1/fleet/results/271/xxhxfxhx/websocket

which is similar to the

/api/v1/fleet/results/websockets

endpoint noted in the web sockets docs. I'm just not entirely sure where these extra parameters are being generated (and don't fancy breaking through obfuscated JavaScript 😝)

oh, did you try using

/api/v1/fleet/results/websocket

(note the missing "s" at the end)

That looks like it's doing something now! Ouch, is that a typo in the docs or are is that a recent update?

I think it's a typo. This endpoint isn't used often by users directly, so I'm not surprised that the docs were incorrect here. I will make sure to update them.

Ah fair enough. Appreciate your help

Thanks for catching this @calhall, here's the PR to fix the documentation: #5721.