0

I am working with OSQUERY, I want to save result of osquery to a particular file as excel or csv.

I am trying with below but not getting what I want

$ osqueryi --json 'select * from osquery_info' > res.json

$ cat res.json

{"build_distro":"10.12","build_platform":"darwin","config_hash":"e7c68185a7252c23585d53d04ecefb77b3ebf99c","config_valid":"1","extensions":"inactive","instance_id":"38201952-9a75-41dc-b2f8-188c2119cda1","pid":"26255","start_time":"1552676034","uuid":"4740D59F-699E-5B29-960B-979AAF9BBEEB","version":"3.3.0","watcher":"-1"} ]

When I fire below query 

osquery> select * from time;
+---------+------+-------+-----+------+---------+---------+----------+------------+----------------+------------+------------------------------+----------------------+----------------------+--------------------+
| weekday | year | month | day | hour | minutes | seconds | timezone | local_time | local_timezone | unix_time  | timestamp                    | datetime             | iso_8601             | win_timestamp      |
+---------+------+-------+-----+------+---------+---------+----------+------------+----------------+------------+------------------------------+----------------------+----------------------+--------------------+
| Friday  | 2019 | 8     | 23  | 12   | 24      | 45      | UTC      | 1566563085 | UTC            | 1566563085 | Fri Aug 23 12:24:45 2019 UTC | 2019-08-23T12:24:45Z | 2019-08-23T12:24:45Z | 132110366857557098 |
+---------+------+-------+-----+------+---------+---------+----------+------------+----------------+------------+------------------------------+----------------------+----------------------+--------------------+
osquery>

I want to save this output into excel or csv.

Sparta_Saggy
  • 47
  • 4

2 Answers2

1

osqueryi documents a --csv flag. Does that do what you want? (--json outputs json.)

Depending on what you're doing, many people use osquery as a daemon (or service) with scheduled queries.

seph
  • 813
  • 6
  • 16
  • Hello Seph, I want my osquery console output to the file i.e excel or csv, how can i achieve it. thanks – Sparta_Saggy Aug 23 '19 at 13:31
  • 1
    @Sparta_Saggy, the answer suggested by @seph is correct. All you need to do is `osqueryi --csv 'select * from time;' > out.csv` and then you should get the output in the desired file location. Note that the seperator in the csv will be the `|` and not a comma in this case. If you need it to be something else, you can use : `osqueryi --csv --separator "," "select * from time" > out.csv` – prateeknischal Sep 08 '19 at 11:28
0

I took help from others answers and then tried and failed so many times but finally was able to accomplish this task.

How to save an osquery result to csv file:

Please follow the syntax and form your query
C:\Program Files\osquery>osqueryi.exe --csv --separator "," "select name,action,path,enabled,state,hidden from scheduled_tasks"; >>d.csv

I have added the screenshots below please see them also.

--Double quotes "" are required in the above query , Please don't miss them.

CSV file output Screenshot

1

Command Line -- Screenshot

2

vimuth
  • 5,064
  • 33
  • 79
  • 116
Sid
  • 1
  • 1