Live Query

Print Friendly, PDF & Email

Live Query functionality allows users to run real-time queries against endpoints to gather information for security analysis and IT hygiene purposes.

Live Query Execution

To execute a Live Query, follow these steps:

  • Click ‘Live Query’ option in the left menu. The Live Query Page appears.
    Note: Users can also access the Live Query feature directly from the Alert Page.
  • On the Live Query Page, select the desired platform from the Platform list. This selection determines the target platform for running the query.
  • Select the table from the list.

    Note ☛ There are over 100 suggested tables to choose from. Visit this URL https://www.osquery.io/schema/5.6.0 for further reference and information.

  • Select the hosts from the dropdown list by selecting multple checkboxes. These are the endpoints on which you want to run the query.
  • The query will be displayed in the designated box on the page. Review and ensure it reflects your intended query then click Run Query. Within 30 seconds, the result of the query will appear on the screen. In the event that the query cannot be resolved within the given time frame, an error message will be displayed instead.
  • If desired, you can export the query result by using the "Export as XLS" button.

Additionally, you can utilize the Search feature to find a specific parameter or information within the Live Query interface.

Query Limitations
Query execution time : 30 seconds

Search History

The Search History feature allows you to access and retrieve previously executed queries, as they are automatically saved for your convenience. A specific query can be searched within the saved records using this feature.

Note
The Live Query feature is compatible with Windows, Linux distributions such as Ubuntu, Linux Mint, Red Hat Enterprise Linux (RHEL), openSUSE Leap, as well as macOS.

Saving and Managing Live Queries

In the Live Query Page, users have the option to save queries they have executed for future reference or repeated use. This guide outlines the process of saving, viewing, and managing saved queries.

Saving a Live Query

  1. Go to Live Query Page: Navigate to the Live Query Page where you have executed the query you want to save.
  2. Execute and Save Query:
    • After executing the desired query, locate the Save Query button.
    • Clicking this button opens a modal pop-up named Save Query.
  3. Provide Query Details:
    • In the modal, users are prompted to provide the following mandatory fields:
      • Query Name: Enter a unique name to identify the saved query.
      • Description: Provide a brief description for reference.
  4. Review Query:
    • The executed query will be displayed in the Query field for review.
  5. Save Query:
    • After verifying the details, click the "Save" button to store the live query as a saved query.

Viewing Saved Queries

  1. Locate Saved Queries Button:
    • To access saved queries, locate the Saved Queries button. This button is present within the Live Query Page.
  2. Access Saved Queries:
    • Clicking the Saved Queries button opens a modal pop-up window displaying all saved queries.

Actions Available for Saved Queries

  1. Search:
    • Utilize the search functionality to quickly locate specific saved queries by name.
  2. Run:
    • Execute a saved query directly from the list of saved queries by clicking the "Run" action.
  3. Edit:
    • Modify the details of a saved query by selecting the "Edit" action. Users can update the query name, description.
  4. Delete Query:
    • Remove unwanted queries from the list by selecting the "Delete" action. This action permanently removes the saved query.
  5. Note:

    • While saving or editing a saved query, ensure that a unique name is provided to prevent conflicts or confusion.
    • Users are encouraged to provide meaningful descriptions to facilitate easier identification and understanding of saved queries.
Was this page helpful?