Closed James-Pickett closed 4 weeks ago
allow for passing raw data into query for dataflatten tables
osquery> select * from kolide_json where raw_data = '[0]'; +---------+--------+-----+-------+-------+------+----------+ | fullkey | parent | key | value | query | path | raw_data | +---------+--------+-----+-------+-------+------+----------+ | 0 | | 0 | 0 | * | | [0] | +---------+--------+-----+-------+-------+------+----------+ osquery> select * from kolide_json where raw_data = '{"hi":"there"}'; +---------+--------+-----+-------+-------+------+----------------+ | fullkey | parent | key | value | query | path | raw_data | +---------+--------+-----+-------+-------+------+----------------+ | hi | | hi | there | * | | {"hi":"there"} | +---------+--------+-----+-------+-------+------+----------------+
when adding both constraints with an OR, the first one wins unless there is a specific query
osquery> select * from kolide_json where path = '/tmp/test.json' or raw_data = '[0]'; +---------+--------+-----+-------+-------+----------------+----------+ | fullkey | parent | key | value | query | path | raw_data | +---------+--------+-----+-------+-------+----------------+----------+ | hi | | hi | there | * | /tmp/test.json | | +---------+--------+-----+-------+-------+----------------+----------+ osquery> select * from kolide_json where query = 0 and path = '/tmp/test.json' or raw_data = '[0]'; +---------+--------+-----+-------+-------+------+----------+ | fullkey | parent | key | value | query | path | raw_data | +---------+--------+-----+-------+-------+------+----------+ | 0 | | 0 | 0 | * | | [0] | +---------+--------+-----+-------+-------+------+----------+
not sure if this is the expected behavior
allow for passing raw data into query for dataflatten tables
when adding both constraints with an OR, the first one wins unless there is a specific query
not sure if this is the expected behavior