@groob Here is my case - I want to extend osqueryd with my logger that read windows events and execute sql query like select * from windows_events where time >(select time from windows_events where eventid = xxx). So, I want to find some several particular event following each other. E.g. they can be next to other or separated by other events. First, I see that osquery sql does not have TOP 1 statements like regular sql (or, how can I return latest raw?). Second, no idea how to call sql statement from osquery logger. I ended up using the config file and specifying there several queries for each event. Then, in logger, I receive each raw and process it. Would be great if it wold be possible to run sql query from the logger. Any solution or advise?

osquery SQL supports the full SQLite syntax. AFAICT

TOP 1

is an MSSQL specific syntax but this is typically supported in most SQL dialects with

SELECT ... LIMIT ... ORDER BY

.

Thanks a lot.