wave I know you can specify the name of a saved query in `fl

Question

wave I know you can specify the name of a saved query in `fleetctl` with the ` query name` option but is it possible to pass in an entire query pack to `fleetctl` to run multiple distributed queries I can see this being useful for IR and you could pipe the results of those queries into custom tooling for further parsing or automation

zwass · Answer

That wouldn t be hard to implement with a script

harveywells · Answer

Thanks < zwass> I can look to script that up Related `fleetctl` question When running the following distributed query `fleetctl` returns fleetctl `query hosts 1234 query SELECT FROM file where path like Users Desktop ` host 1234 rows But I can see the actual results of that query in the Fleet UI I was running this query to make sure that the osquery had Full Disk Access but I was curious why it wouldn t print those results to my terminal

zwass · Answer

It s definitely the exact same query text in the UI vs fleetctl

harveywells · Answer

Yup I also just tried `SELECT FROM users LIMIT 1` in the UI and with `fleetctl` I can see results in the UI but I get the following with `fleetctl` ``` host 1234 rows 100 responded 100 online | 1 1 targeted hosts 1 1 online ```

zwass · Answer

Does this happen with any host you query Which versions of `fleet` and `fleetctl`

harveywells · Answer

Ah When I flank the query in double quotes it works `fleetctl query hosts 1234 query SELECT FROM osquery info `

harveywells · Answer

I wasn t doing that initially grimacing

zwass · Answer

Oh ha yeah shell interpolation

harveywells · Answer

runner

harveywells · Answer

Sorry about that

zwass · Answer

Haha no worries

zwass · Answer

Glad it works

harveywells · Answer

Me too thank you again