Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@UKBD660NN> how are you doing it? just like `osqueryi "select * from windows_events" &gt; my_file.txt"`?

Ah ok, that wont work because `windows_events` is an event based table, meaning osquery has to be running interactively, so either dropping to the shell or running as the daemon, before any data will be generated

You can read more about event based vs schedule based tables in the read the docs

got it - so if I want to get the results outside shell, need to use the daemon?

Yeah for this instance you'd be better off using the daemon

thanks - I was way over-complicating things. just added a couple basic queries to the config, restarted daemon, and events started flowing into logs

is there a manual way to flush an events table? i've tried significantly lowering events_expiry, but I don't think the flags file is being read

The best you can do is to decrease the query interval to be very close together