Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
cpu_time
cpu_time
The cpu_time table displays data from the /proc/stat file which records how the Central Processing Unit (CPU) in a computer or mobile device allocates time to processing workloads.
| Column | Type | Description |
|---|---|---|
| core | integer | Name of the cpu (core) |
| guest | bigint | Time spent running a virtual CPU for a guest OS under the control of the Linux kernel |
| guest_nice | bigint | Time spent running a niced guest |
| idle | bigint | Time spent in the idle task |
| iowait | bigint | Time spent waiting for I/O to complete |
| irq | bigint | Time spent servicing interrupts |
| nice | bigint | Time spent in user mode with low priority (nice) |
| softirq | bigint | Time spent servicing softirqs |
| steal | bigint | Time spent in other operating systems when running in a virtualized environment |
| system | bigint | Time spent in system mode |
| user | bigint | Time spent in user mode |
Example
This query identifies Hosts on which the ratio of CPU time spent processing System workloads compared to User workloads is 2:1. This could be evidence of a corrupted operating system or malicious activity:
SELECT * FROM cpu_time WHERE user/system > 2;This query duplicates the macOS Activity Monitor.app GUI which shows the percentage of CPU time spent on System, User and Idle workloads:
SELECT printf(ROUND((CAST(SUM(system) AS FLOAT)/(SUM(idle)+SUM(system)+SUM(user)))*100,2)) AS system_pct,
printf(ROUND((CAST(SUM(user) AS FLOAT)/(SUM(idle)+SUM(system)+SUM(user)))*100,2)) AS user_pct,
printf(ROUND((CAST(SUM(idle) AS FLOAT)/(SUM(idle)+SUM(system)+SUM(user)))*100,2)) AS idle_pct
FROM cpu_time;Notes
Edit page
Ask us anything
Questions?
SOC2 Type 2
© 2025 Fleet Inc.
Privacy
