Query results automatically fill the Results table on the Live Query page.
Because the request is asynchronous, you do not have to stay on the page to see the results. You can leave the Live Query page and come back later to see the results.
If the current query is too long to be displayed on a single line, click the diagonal arrow next to the query to see the entire query.
Query results are returned in three states:
- Completed – the query completed successfully
- Truncated – returned data exceeds the acceptable length
- Error – incorrect SQL syntax, unavailable osquery table, etc.
You can only see results for sensors that you have permissions to view. If you run a query and the results contain sensors to which you have no access, you cannot see their results. However, the count of sensors that responded to the query (on the top right of the page) includes them.
You can filter the Results table by computer name. The Results table always displays the following two columns:
| Column |
Description |
|---|---|
| Computer Name |
Name and query status of the endpoint on which the query ran. |
| Time Received |
The time (day) that the query ran on the endpoint. |
The remaining displayed columns depend on the query itself (see Tables ). Query results reside in memory and are retained until a new query is run or services are restarted.
Export Live Query Results
You can export Live Query results into a CSV file.
