#general - hey :wave: on Windows, I get a

Channels

z
Zhen
2 years ago
hey 👋 on Windows, I get a JOIN query working well in
```
osqueryi
```
interactive mode, but the same query won’t work in Osquery config
```
schedule
```
, neither did see any error in the
```
osquery\log
```
folder, any insights are greatly appreciated?
Here is the query in question, trying to correlate new connection and new process by PID in
```
windows_events
```
table 👉
```
select * from windows_events LEFT JOIN (select data as data2 from windows_events where eventid=4688) ON printf('0x%x', json_extract(data, '$.EventData.ProcessID'))=json_extract(data2, '$.EventData.NewProcessId') where eventid in (5156,5157)
```
theopolis
2 years ago
Does the osquery service receive any windows events? I recommend simplifying the query to just the window events table and go from there. I doubt the query is the problem, the problem is most likely the daemon’s configuration with respect to windows events logging.
z
Zhen
2 years ago
Thanks @theopolis, this entire query works as expected in osqueryi (ie. receives data in windows_events, also returned expected joined data). Also, simplified statement works fine in the config (ie. a sub-query without JOIN
```
select data as data2 from windows_events where eventid=4688)
```
). For reference, I have other queries under
```
schedule
```
works fine. I wonder if there is additional way to get verbose diagnose info out of osquery daemon?
```
osquery\log
```
didn’t record any error log.

View count: 1