Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

:thinking_face:  how do i actually create a static label for specific hostnames - which table are hostnames available in e.g. UAT group spefic hostnames (alternatively could do another enrolment key but i’m not clear if that’s supported  in free fleet )?

<https://fleetdm.com/docs/using-fleet/faq#can-i-target-my-hosts-using-their-enroll-secrets> :confused:

``` As a workaround, Fleet's manual labels provide a way to create groups of hosts without a query. These manual labels can then be used as targets for queries or query packs.```

<https://fleetdm.com/docs/using-fleet/fleetctl-cli#host-labels> is a broken link

to clarify: need the label to both filter hosts by in the hosts page and target queries

<https://fleetdm.com/docs/using-fleet/rest-api#create-label> :thinking_face:  can some help with the query. let’s say hostname IN (“A”,“B”,“C”)

:thinking_face: `SELECT * FROM system_info where computer_name IN ('A','B');`
&gt; 

Either should do the trick. I’d personally go with `SELECT 1` just to keep things streamlined. 

If using `fleetctl` rather than the API endpoint is an option, creating a manual label would be a bit more efficient:

<https://fleetdm.com/docs/using-fleet/configuration-files#labels|https://fleetdm.com/docs/using-fleet/configuration-files#labels>

ty that’s helpful. <https://fleetdm.com/docs/using-fleet/configuration-files#labels>


is there more thorough documentation for using fleetctl config files. in particular whether it adds or overrides a specific setting.

as in if you do apply config via fleetctl

```apiVersion: v1
kind: label
spec:
  name: slack_not_running
  query: &gt;
    SELECT * FROM system_info
    WHERE NOT EXISTS (
      SELECT *
      FROM processes
      WHERE name LIKE "%Slack%"
    );```
does it add a new label (or update it if exists) , or remove all labels and add this one  (replace all label type attrobs)

Great Feedback! I'll get some updates going. A good rule of thumb is that if you can have multiples (like queries, labels, and policies), Applying a new file will create things that don't exist and change things that do. If you applied a label with the same name, the existing label would be updated. Any existing labels would remain the same.

Each individual configuration is it's own entity, even if you're applying multiple configurations at the same time.