what is the simplest way to add a custom keypair that gets returned from osquery - I want it to be a simple piece of text that is returned, can I do it with a flag or config option or do I have to build a custom table - essentially I want to be able to set a label client side so that "type" = "full" or "simple" gets returned

It's harder than it seems. Custom table is one route. If there are tables, for this platform, that can read files, that's another option. (Plist on macOS, registry on windows) You could be clever with etc hosts. I'm not sure there's a simple cross platform table to abuse though

hrm, thanks, I figured custom table is where I need to go, seems a bit overkill but I may be able to expand it further later I suppose. I'd rather not rely on changing a real config file on a client or dropping an sqlite file in place somewhere.

Maybe decorators?

I will google some decorators, and hopefully not get my house repainted in the process 😉 thanks for the headsup on osquery-go !!

😆 if you have control over the configs on the different hosts you could likely add a decorator that is just a

select "full" as type

or

select "simple" as type

and that would be added to each log from osquery

If you're willing to go as far as an extension, dropping a SQLite DB seems simpler.

yeah, its a fair call, I'd just really like it to get deployed with the msi

I mean… You can put a sqlitedb into the msi as easily as adjusting the flags.