https://github.com/osquery/osquery logo
Join Slack
Powered by
:wave: I know you can specify the name of a saved...
# kolide
h
👋 I know you can specify the name of a saved query in 
fleetctl
with the 
--query-name
option but is it possible to pass in an entire query pack to 
fleetctl
to run multiple distributed queries? I can see this being useful for IR —  and you could pipe the results of those queries into custom tooling for further parsing or automation.
z
That wouldn't be hard to implement with a script.
h
Thanks @zwass I can look to script that up. Related 
fleetctl
question. When running the following distributed query, 
fleetctl
returns: (fleetctl 
query --hosts 1234 --query SELECT * FROM file where path like '/Users/%/Desktop/%'
Copy code
{
  "host": "1234",
  "rows": []
}
 But I can see the actual results of that query in the Fleet UI. I was running this query to make sure that the osquery had Full Disk Access but I was curious why it wouldn't print those results to my terminal.
z
It's definitely the exact same query text in the UI vs. fleetctl?
h
Yup. I also just tried 
SELECT * FROM users LIMIT 1
in the UI and with 
fleetctl
. I can see results in the UI but I get the following with 
fleetctl
Copy code
{"host":"1234","rows":[]}
 100% responded (100% online) | 1/1 targeted hosts (1/1 online)
z
Does this happen with any host you query? Which versions of 
fleet
and 
fleetctl
?
h
Ah. When I flank the query in double quotes it works: 
fleetctl query --hosts 1234 --query "SELECT * FROM osquery_info"
I wasn't doing that initially 😬
z
Oh ha yeah shell interpolation
h
🏃
Sorry about that
z
Haha no worries
Glad it works!
metal 1
h
Me too, thank you again!
3 Views
Open in Slack
PreviousNext
Powered by