Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
seph
03/04/2022, 1:21 AMOsquery is designed to talk to extensions over a thrift socket. You can query over it. This may not be better than osqueryi, though it has less exec overhead
m
Mariya Milkova
03/05/2022, 9:44 AMthank you very much for the info, I will look into both options, you might be right that the schemas are the same
s
seph
03/05/2022, 1:11 PMThe table schema should be the same, but sometimes there’s some meta data differences. But it should be pretty easily transformable,
There are some caveats around diff vs snapshot queries. But I think diff queries are a poor fit for the problem you described.
m
Mariya Milkova
03/06/2022, 7:56 PMyes, I’ve been using the snapshot ones
the concern with the osqueryi is that they are missing a bit of the data in the json files compared to the osquery service
s
seph
03/09/2022, 11:28 PMWhat data is missing? There may be ways of getting it
m
Mariya Milkova
03/10/2022, 12:34 AMthings like the decorators
not the queries themselves, more like data about the data
s
seph
03/10/2022, 1:48 AMAh, yes. I don’t think other things have decorators. You could built that into the query usage.
I don’t think there’s a simple answer here. 😕 It’s just not how it’s made to be used. So you’re working around it