Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@UG5V3FXTQ> ^^^ These are at least 3 benefits

Thank you <@U7NK3LB9A>! That's some great input, much appreciated!

Regarding `2)`. Does that mean all logs first goes to Fleet and are then forwarded to Splunk? That seems like a nice thing since that would mean only that one machine would need to be able to reach Splunk.

Correct. Logs get collected on the fleet server. Fleet server ships them to Splunk.

In my envioronment if I just used osquery, the alternative would have been either install a Splunk forwarder on *every* endpoint or log locally and ship to syslog.

Thank you again <@U7NK3LB9A>, that's very helpful!