Do you guys know if there is a function in osquery to get a substring ? substr exists in sqlite, but it seems like osquery doesn't like it.

The normal

substr

function works.

osqueryi "SELECT substr('SQLite substr', 1, 6);"
+-------------------------------+
| substr('SQLite substr', 1, 6) |
+-------------------------------+
| SQLite                        |
+-------------------------------+

yeah, I think the problem might be from fleetdm, not osquery. Thanks anyway

If there might be a problem in Fleet, would love to understand and fix that. Anything supported in osquery should be supported also in Fleet.

The problem is when I execute the query I get an error right away "Something has gone wrong. Please try again" Usually if it's syntax issue I get an error saying what was wrong with the syntax, but this error is weird. Fleetdm logs doesn't show anything about it and neither the workstation that the query was supposed to be execute on.

Can you open the network inspector in the browser and see what the response is from the Fleet server?

oh great idea, haven't thought about using the network inspector to check the response.

Oh wow very interesting. Cloudflare blocks only that query?

Cloudflare blocks certain queries that think it's a SQL injection. I've had this problem with other functions as well.