Hi guys. I have been reading this post that states:

MacAdmins osquery extension which comes conveniently bundled with Fleet's osquery installers by default

However - when i try to pull from the unified log table in fleetdm, I get a "No platforms (check your query for invalid tables or tables that are supported on different platforms)" Any pointers on what I am doing wrong, or am I just completely missing the point? Thanks in advance for any light you can shed om this.

Hey, this seems to be an UI bug (I can reproduce) if you ignore that message and run the query anyways you should be able to get results. I will create an issue shortly, please let me know if you're able to get past this!

😊 Being the coward that I am it never occurred to me to hit "Go".

are you able to share the errors you get? that might give us a hint

Paraphrase (afk): the column "last" does not exist

let me confirm with the team, but I think that since osquery introduced the

unified_log

table natively recently, it might take precedence over the mac admins extension 🤔 here are the available columns: https://github.com/osquery/osquery/blob/91b2c34b5b675e493e79990bcad9f25193eb9f3b/specs/darwin/unified_log.table can you try with some of the examples there? eg:

select * from unified_log where timestamp > -1 and max_rows = 500

Excellent - thank you very much for the swift follow up. I will get into it further tomorrow.