any ideas why operator "where" stops working correctly in query like that: "SELECT * FROM users JOIN chrome_extensions USING (uid) where identifier = 'aapocclcgogkmnckokdopfmhonfmgoek' if my osqueryd is running as a service (windows 10, osquery 3.3.1, kolide 2.0.1). The query returns empty result, when there is an extension with that identifier value.
12/03/2018, 5:36 PM
When you receive the results from the query in which you remove the "where" clause, in Fleet are the results returned as:
(ie does the result in fleet return with quotes surrounding it)
The reason I ask is because if the result is returned with the quotes surrounding it, then you'll have to account for that in your defined "where" else you can change it to
WHERE identifier LIKE "%aapocclcgogkmnckokdopfmhonfmgoek%"
However depending on the circumstances that could prove problematic
12/05/2018, 8:12 AM
thanks RPuth for the hint, it seems that "identifier" returned in result is without any quotes, I'm still trying to understand why my distributed query works differently with osqueryd running as a service and as a process started from a cli