Channels
  • m

    Marc Roelofs

    3 months ago
    Hi, API question here ... I'm experimenting with the API to allow some other tools to ingest the data that comes from some basic queries . Now I am able to use the api to return query information on host-id 1,2 ,5,7 . but how to I do this for all hosts in the inventory
  • Tomas Touceda

    Tomas Touceda

    3 months ago
    hi there, you could list all hosts, depends what information you want to get. You might need to get it one by one
  • Sarah Gillespie

    Sarah Gillespie

    3 months ago
    Hi @Marc Roelofs, if you want to run a live query on all hosts, you can first look up the
    id
    the all hosts label using
    GET /api/v1/fleet/labels
    endpoint. In the results, you should find an entry that looks something like this:
    {
      "labels": [
        {
          "created_at": "2022-02-14T15:58:54Z",
          "updated_at": "2022-02-14T15:58:54Z",
          "id": 6,
          "name": "All Hosts",
          "description": "All hosts which have enrolled in Fleet",
          "query": "select 1;",
          "platform": "",
          "label_type": "builtin",
          "label_membership_type": "dynamic",
          "host_count": 2010,
          "display_text": "All Hosts",
          "count": 2010,
          "host_ids": null
        },
    The
    id
    might be different in your instance so I recommend confirming just to be sure. Then you can plug that into the body of your prior request to the
    POST /api/v1/fleet/queries/run
    endpoint, something like this:
    {
        query: "SELECT * FROM osquery_info;",
        query_id: 60,
        selected: {
          hosts: [],
          labels: [6],
          teams: []
        },
    }
    You can also target subsets of hosts using the other builtin labels or set up your own custom labels.
    Ah I see that you were using the
    /GET
    endpoint. The
    /POST
    endpoint works with a websocket connection so it may not be a fit for your use case.
View count: 10