Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
News Ask around Meetups Schedule a demo Share your story COMPANY The handbook Testimonials
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

ioreg

click to open the table of contents
macOS logo

ioreg

Get values from macOS ioreg command. Columns are input options for the command. They match the ioreg command line tool.

Column Type Description
c text List properties of objects with the given class.
d text Limit tree to the given depth.
fullkey text The expanded name of the specific item that describes the value.
k text List properties of objects with the given key.
key text A specific item that describes the returned value.
n text List properties of objects with the given name.
p text Traverse registry over the given plane (IOService is default).
parent text The key's parent.
query text The query is printed in this column.
r text Show subtrees rooted by the given criteria.
value text The value for the specified key.

Example

Find HID Device Protocol data:

WITH protocols as (
  SELECT 
   MAX (case WHEN key = "USB Address" THEN value END) as usb_address,
   MAX (case WHEN key = "bDeviceProtocol" THEN value END) as protocol
  from ioreg where r=true and c="IOUSBDevice" group by parent
) 
SELECT * FROM usb_devices join protocols using (usb_address)

Notes

This table is not a core osquery table. It is included as part of fleetd, the osquery manager from Fleet. Code based on work by Kolide.

Edit page

Questions?

Ask us anything
{{table.title}} evented table