- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Examine Osquery results
editExamine Osquery results
editOsquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with.
Results table
editThe Results table displays results from single queries and query packs.
Single query results
editResults for single queries appear on the Results tab. When you run a query, the number of agents queried and query status temporarily display in a status bar above the results table. Agent responses can be Successful, Not yet responded (pending), and Failed.
Query pack results
editResults for each query in the pack appear in the Results tab. Click the expand icon (
) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is Sucessful, Not yet responded (pending) is gray, and Failed is red.
Investigate query results
editFrom the results table, you can:
-
Click View in Discover (
) to explore the results in Discover.
-
Click View in Lens (
) to navigate to Lens, where you can use the drag-and-drop Lens editor to create visualizations.
-
Click Timeline (
) to investigate a single query result in Timeline or Add to timeline investigation to investigate all results. This option is only available for single query results.When you open all results in Timeline, the events in Timeline are filtered based on the
action_IDgenerated by the Osquery query. -
Click Add to Case (
) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments.
-
Click the view details icon (
) to examine the query ID and statement.
- View more information about the request, such as failures, by opening the Status tab.