osqueryi(1)

osqueryi is an interactive command-line interface to osquery, a framework that exposes the operating system as a high-performance relational database. You can write SQL queries to inspect system information, configuration, logs, and running processes.

Without arguments, osqueryi enters an interactive shell where you can type SQL queries. With a query argument, it executes that query once and exits. Results are displayed as formatted tables.

osqueryi connects to osqueryd (the daemon) if running, or uses a local snapshot of system tables. It requires osquery to be installed and configured on your system.

Enter interactive osquery shell; type queries at the prompt

osqueryi

Execute a single query to list 10 running processes with their names, PIDs, and states

osqueryi 'SELECT name, pid, state FROM processes LIMIT 10;'

List all available tables; pipe to head to see the first 20 table names

osqueryi -L | head -20

Count processes by user and return results in JSON format

osqueryi --json 'SELECT user, count(*) as count FROM processes GROUP BY user;'

Display system information like OS, hostname, and hardware details

osqueryi 'SELECT * FROM system_info;'

Export list of installed packages as CSV and save to file

osqueryi --csv 'SELECT name, path FROM installed_packages;' > packages.csv

Query open HTTPS connections with execution time profiling

osqueryi --profile 'SELECT * FROM open_sockets WHERE remote_port = 443;'

List system users (UID less than 1000) with their numeric IDs

osqueryi 'SELECT username, uid, gid FROM users WHERE uid < 1000;'