Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

i'm having an issue with distributed queries &amp; kinesis streaming.  when I run a distributed query from the kolide UI, osquery does not send the results to the configured kinesis stream (results are successfully returned in kolide, tho).  Interestingly, the same osquery instance will run a scheduled pack and those results are sent to kinesis.  thoughts?

That is the intended behavior. Distributed queries are not logged like scheduled queries, they just output results to the UI/CLI.

ok.  is there any way to have the distributed queries logged to kinesis?

<@U0JFM04MS> ideally, I'd like to allow users to run distributed queries as needed &amp; pull the results from kinesis in splunk.

That is not supported by osquery... The distributed query system is independent from the scheduled query system and the logging plugins that go with it.