Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tim
03/06/2020, 6:40 PMI'm having some trouble writing a query to create a label. There's a specific process that should be running on everything in my fleet, I want to return and systems that DO NOT have that process running. Any help or direction is appreciated.
z
zwass
03/06/2020, 8:17 PMosquery> SELECT 1 WHERE 'osqueryd' NOT IN (SELECT name FROM processes);
osquery> SELECT 1 WHERE 'mysqld' NOT IN (SELECT name FROM processes);
+---+
| 1 |
+---+
| 1 |
+---+Does this idea make sense? Return a result when the process is not running, return no result if the process is running.
t
Tim
03/06/2020, 10:11 PMyeah that makes perfect sense, thanks a ton
z
zwass
03/07/2020, 2:04 AMYou're welcome, good luck!