1

Osquery not giving JSON or CSV output in a window I have tried these, but unable to produce CSV or JSON output.

osquery> --csv select * from time;
osquery> --json select * from time;
osquery> --csv 'select * from time';
osquery> select * from time --CSV;
osquery> 'select * from time' --CSV;
Compo
  • 36,585
  • 5
  • 27
  • 39
Nafiis Mushtaq
  • 123
  • 7
  • 1
    @Compo your comment seems needlessly aggressive. I do think the user could improve the question by including what the output was from those failed commands, but it included enough context that I was able to understand the problem and provide an answer. – Zach Jul 15 '20 at 16:07
  • There is nothing aggressive about my comment @Zach, if your interpretation of it differs from mine, then it is in your own interests to deal with your misinterpretation issues. The question does not meet the required standards, because the OP has not provided sufficient information for potential helpers to replicate all of the steps taken by them and therefore reproduce the issues reported. In addition to that your answer is not using `osquery`, but `osqueryi`, and appears to be using a 'shell' which does not match the [[tag:cmd]] tag and probably the incorrectly assigned [[tag:window]] one. – Compo Jul 15 '20 at 16:52
  • Additionally @Zach, I'm assuming by the [[tag:window]] tag, that it is supposed to be [[tag:windows]], and the [tag:windows] [tag:shell], is [tag:cmd]. The exectuable, `cmd.exe`, does not use `$` for its default prompt, so I assume that the question has used incorrect tags, and has not sufficiently even made clear what OS, or shell it is supposed to be asking for assistance with. If you notice the link I provided in my 'aggressive' comment, you should note that is is for installing `osquery` on Windows. – Compo Jul 15 '20 at 16:57
  • @compo There is plenty of context in that question to answer it. Knowledge of osqueryi would show a clear misuse, as Zach answered. – seph Jul 15 '20 at 17:22
  • @seph, I am quite sure that just because one person may have some idea of what the OP has done, or is intending to do, that it does not make the question clear, answerable and on topic. We should not have to read other peoples answers in order to try to clarify a question, because after all it's somebody elses interpretation of the question, not a clarification of it. I am satisfied that my initial comment is correct, I formed my own opinion on the suitability of the question based upon my experience on this site. I'm not asking for others to validate my opinion, and neither should you. – Compo Jul 15 '20 at 17:44
  • You don't have to read Zach's answer. You have understand the tool the question is about. It's a clear syntax error inside osquery. Though the tags did seem off. (so I suggested an edit for those) – seph Jul 15 '20 at 18:01
  • As you say @seph, in order to answer the question, you had to have a reasonably good understanding of the tool [[tag:osquery]], and effectively disregard all of the other four tags included in the 'post'. In fact, I saw your suggested edit, where you thought that removing three of the five tags was warranted. Those facts alone are sufficient to suggest that the 'post' was not up to the standard required, and I refer back therefore to my initial comment! – Compo Jul 15 '20 at 19:47
  • Seems fine to me. People don't always know how or what to ask. I'm sympathetic to people getting it wrong. Fixing the tags is a better experience than harshing on them. – seph Jul 16 '20 at 00:47

1 Answers1

2

It looks like you already started osqueryi in shell mode, so it is not parsing the flag you are trying to pass.

What you are looking for is probably (from your cmd.exe shell):

C:\Program Files\osquery>osqueryi.exe --json "select * from time"
[
  {"datetime":"2020-07-15T16:02:33Z","day":"15","hour":"16","iso_8601":"2020-07-15T16:02:33Z","local_time":"1594828953","local_timezone":"PDT","minutes":"2","month":"7","seconds":"33","timestamp":"Wed Jul 15 16:02:33 2020 UTC","timezone":"UTC","unix_time":"1594828953","weekday":"Wednesday","year":"2020"}
]
$ osqueryi --csv 'select * from time'
weekday|year|month|day|hour|minutes|seconds|timezone|local_time|local_timezone|unix_time|timestamp|datetime|iso_8601
Wednesday|2020|7|15|16|2|37|UTC|1594828957|PDT|1594828957|"Wed Jul 15 16:02:37 2020 UTC"|2020-07-15T16:02:37Z|2020-07-15T16:02:37Z

Your other option is to set the "output mode" while in the osqueryi shell:

$ osqueryi.exe
Using a virtual database. Need help, type '.help'
osquery> .mode csv
osquery> select * from time;
weekday,year,month,day,hour,minutes,seconds,timezone,local_time,local_timezone,unix_time,timestamp,datetime,iso_8601
Wednesday,2020,7,15,16,4,33,UTC,1594829073,PDT,1594829073,"Wed Jul 15 16:04:33 2020 UTC",2020-07-15T16:04:33Z,2020-07-15T16:04:33Z
osquery>

I am not sure why, but JSON is not supported as a format with the .mode command.

Zach
  • 1,263
  • 11
  • 25
  • 2
    You can also start osqueryi with the output mode, and then use it interactively. `osqueryi.exe --json` – seph Jul 15 '20 at 17:25