Hi All,
Can I make a specific decorator query be ...
# corec
Chris Benninger
08/12/2020, 8:53 PMHi All,
Can I make a specific decorator query be platform-specific? I want to provide the same decorator, but have it supplied through a different query for windoze as opposed to linux / mac
n
nyanshak
08/12/2020, 9:07 PMI asked the same question: https://osquery.slack.com/archives/C08V7KTJB/p1597099205230900
No answers, but I maybe found a workaround for my use case (two separate queries).
Maybe you could take advantage of COALESCE if all the tables are supported by all platforms though 🤷
f
fritz
08/13/2020, 12:48 PM@Chris Benninger I do not believe this is possible due to column name collisions, can you share the two queries you are trying to have populate the same decorator and I can attempt to assist?
fritz
08/13/2020, 12:52 PMI know that you cannot use CASE/COALESCE logic to platform scope output unless the table is available for both platforms as mentioned by @nyanshak, even if the condition is never met (eg.
WHEN platform = 'darwin' THEN (SELECT local_hostname FROM system_info) WHEN platform = 'windows' THEN (SELECT value from registry...)s
seph
08/13/2020, 1:45 PM
Feels like we should support discovery queries on decorators
f
fritz
08/13/2020, 1:52 PMThat's definitely a thought @seph and sounds like the cleanest solution, I wonder if there are any reasons not to...
s
seph
08/13/2020, 1:53 PM
I've been trying to come up with a clean syntax for it.
seph
08/13/2020, 1:53 PM
I think this is probably a reason people have platform specific condors.
seph
08/13/2020, 1:53 PM
Configs
c
Chris Benninger
08/13/2020, 5:03 PMThanks folks!
5 Views