hey all, is there a way to get the "action" field from osquery.results.log included in the "columns" key? I'm doing some log parsing and forwarding that only captures the value of the column key. In this case, as it stands, i'm not able to identify whether the application was installed or removed

I will have to check, but I don't think that's possible

Right… completely outside the context of the query executed… I think I’ll have to go back to the drawing board on this one.

perhaps a differential query might be better suited here..? you might have to experiment and play around a little bit

That is what this is right, a differential query: "applications": { "query": "SELECT *, 'applications' as _splkey FROM apps;", "interval": 60 }

hard to tell just from that..https://osquery.readthedocs.io/en/stable/deployment/logging/#batch-format this says that there needs to be a flag when starting up osquery

--logger_event_type=false

thanks @sharvil

What are you using for the log parsing ?

Splunk

Better question how are you extracting the column data , splunk agent and most configs by default export the whole record and expect you to just specify

columns.foo

in your query

A line breaker that delimits events on a static string within all scheduled queries column payloads

Custom code ? Maybe look at json parsing and moving the field into the columns array

Yep, trying that now with a SEDCMD

That sounds somewhat horrible :(

That it does, I’ll have to audit the parsing pipelines & see if it’ll scale or not

Filebeat do this natively , python is very good at this , go also

process creation and fim both come with a payload time field, which works. but yea, with the applications table, don't have that available after parsing

I think it does not make sense to copy actions into the columns. Columns is the data, action is the larger structure of the result. (Similarly with the unix time, host identifier, etc)

thanks all, great feedback