Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey, I'd like to scan my fleet to see if `some_filename` is missing on any host, for whatever reason. `file` table gives me a nice result for machines that have my `some_filename` in place, but how to invert such query?

so in other words im interested in hostnames that are not listed in the results when I do `SELECT path FROM file WHERE path="some_file"`

maybe something like `osquery&gt; select type from file where path = '/etc/hosts' and type != 'regular';`?

I think when file is not existent, each host is excluded from results anyway

`SELECT 1 AS missing WHERE (SELECT path FROM file WHERE path="some_file") IS NULL;`

I was messing with making JOINS to `system_info`,  <@U0JFM04MS> this is excellent, thanks!

You're welcome! Always love a good <#C0F2H1A1L|sql> problem :slightly_smiling_face: