Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Terje Kvernes
11/18/2022, 10:44 PMIs there a way to create a filter for machines that do not have a specific file present?
s
seph
11/19/2022, 3:38 AMWhat do you mean “filter”? Is this a question about a server feature? Which feature?
t
Terje Kvernes
11/20/2022, 4:40 PMFilter/query. I want to create a query that returns machines that are missing a specific file. I can find machines with the file easily enough, but the opposite stumps me. 🙂
s
sharvil
11/21/2022, 7:44 AMI can find machines with the file easily enough, but the opposite stumps meCan you share this query? I think the inverse of this is possible with some sql magic..
t
Terje Kvernes
11/21/2022, 12:03 PMSELECT 1 from file where path = '/path/to/file's
sharvil
11/21/2022, 12:32 PMsomething like this:
osquery> select exists(select 1 from file where path = '/tmp/test');
+-----------------------------------------------------+
| exists(select 1 from file where path = '/tmp/test') |
+-----------------------------------------------------+
| 1 |
+-----------------------------------------------------+
osquery> select exists(select 1 from file where path = '/tmp/foo');
+----------------------------------------------------+
| exists(select 1 from file where path = '/tmp/foo') |
+----------------------------------------------------+
| 0 |
+----------------------------------------------------+
osquery>with
case/whenexists/not existst
Terje Kvernes
11/21/2022, 1:00 PMAh, brilliant!
I mean, horrific, but brilliant. 🙂
s
seph
11/21/2022, 1:04 PMYou can left join against time, instead of using sub selects.
s
sharvil
11/21/2022, 1:45 PMYou can left join against time, instead of using sub selects.Ah, nice TIL -- do you know of an example for this?
I mean, horrific, but brilliant. 🙂wait, why @Terje Kvernes.? genuinely curious (I use this pattern every now and then, and wondering if it could be improved)
t
Terje Kvernes
11/21/2022, 3:08 PMIt feels like we’re abusing subselects (or joins), but in reality this is what they do. 🙂
s
sharvil
11/21/2022, 3:20 PMAh, okay…in this instance you can also do a
count(*)osquery> select count(*) from file where path = '/tmp/exists';
+----------+
| count(*) |
+----------+
| 1 |
+----------+
osquery> select count(*) from file where path = '/tmp/not_exists';
+----------+
| count(*) |
+----------+
| 0 |
+----------+t
Terje Kvernes
11/21/2022, 3:21 PMdoh I’ll go hide in the corner of SQL shame.
Thanks!
s
seph
11/21/2022, 3:22 PMabusing subselects (or joins)It’s worth thinking through what that means, and what’s good or bad. There are lots of ways to do things, and some fit circumstances better than others. I, personally, tend to avoid subselects, because it can cause additional “table scans” which translate to API hits. Mostly NBD, but some tables are slow. Joins don’t have that problem, but are usually a bit harder to write. Whether any of this matters depends a lot on the details
Despite looking like a database, osquery isn’t one. So there’s a lot of weirdness around query planning and execution.
t
Terje Kvernes
11/21/2022, 3:24 PMHow would you use “left join against time” to emulate
select not exists(select 1 from file where path = '/tmp/foo');I clearly need to retake some SQL courses, the last one I took was in 2003. I feel old. 🙂
s
seph
11/21/2022, 3:28 PMPlay with
with _f AS (select * from file where path = '/tmp/nope') select * from time left join _f;cross join might be easier. Depends on the humans reading it