Wildcard Rules

The osquery wildcard spec

osquery has a simplified wildcarding system for matching operating system directories and files.

% - Match all %% - Match all recursively %XX - Match all ending in XX XX% - Match all starting with XX

Examples

/bin/% - Resolves a vector of every file in /bin /bin/%% - Match all files in bin and all files in any sub directory(n deep, to a limit) /bin/%sh - Match all files in bin ending with sh. /bin/bash /bin/sh /bin/zsh /bin/ba% - Match all files in /bin starting with ba. /bin/bash

Note

%XX% and XX%XX is undefined and will not resolve wildcards in the expected way. This may be implemented in future but there are no plans.

http://osquery.rtfd.org

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Wildcard Rules

The osquery wildcard spec

Examples

Note

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally