👋 I know you can specify the name of a saved query in

fleetctl

with the

--query-name

option but is it possible to pass in an entire query pack to

fleetctl

to run multiple distributed queries? I can see this being useful for IR —  and you could pipe the results of those queries into custom tooling for further parsing or automation.

That wouldn't be hard to implement with a script.

Thanks @zwass I can look to script that up. Related

fleetctl

question. When running the following distributed query,

fleetctl

returns: (fleetctl

query --hosts 1234 --query SELECT * FROM file where path like '/Users/%/Desktop/%'

{"host":"1234","rows":[]} But I can see the actual results of that query in the Fleet UI. I was running this query to make sure that the osquery had Full Disk Access but I was curious why it wouldn't print those results to my terminal.

It's definitely the exact same query text in the UI vs. fleetctl?

Yup. I also just tried

SELECT * FROM users LIMIT 1

in the UI and with

fleetctl

. I can see results in the UI but I get the following with

fleetctl

{"host":"1234","rows":[]}
 100% responded (100% online) | 1/1 targeted hosts (1/1 online)

Does this happen with any host you query? Which versions of

fleet

and

fleetctl

?

Ah. When I flank the query in double quotes it works:

fleetctl query --hosts 1234 --query "SELECT * FROM osquery_info"

Oh ha yeah shell interpolation

🏃

Haha no worries

Me too, thank you again!