Top resource consuming queries for an asset

Top resource consuming queries for an asset

Top 10 wall_time consuming queries

SQL Query
SELECT name, 
       query, 
       wall_time, 
       user_time, 
       system_time, 
       executions 
FROM   osquery_schedule 
WHERE  upt_asset_id = '<asset_id>' 
       AND upt_day = <upt_day> 
ORDER  BY wall_time DESC 
LIMIT  10;

Top 10 Overall CPU time consuming queries
SQL Query
SELECT name, 
       query, 
       wall_time, 
       user_time, 
       system_time, 
       executions 
FROM   osquery_schedule 
WHERE  upt_asset_id = '<asset_id>' 
       AND upt_day = <upt_day> 
ORDER  BY user_time + system_time DESC 
LIMIT  10;

Top 10 memory consuming queries
SQL Query
SELECT name, 
       query, 
       wall_time, 
       user_time, 
       system_time, 

       average_memory,
       executions 
FROM   osquery_schedule 
WHERE  upt_asset_id = '<asset_id>' 
       AND upt_day = <upt_day> 
ORDER  BY average_memory DESC 
LIMIT  10;

Top 10 data generating queries
SQL Query
SELECT name, 
       query, 
       wall_time, 
       user_time, 
       system_time, 

       average_memory,
       executions 
FROM   osquery_schedule 
WHERE  upt_asset_id = '<asset_id>' 
       AND upt_day = <upt_day> 
ORDER  BY average_memory DESC 
LIMIT  10;

Top 10 queries by number of executions
SQL Query
SELECT name, 
query, 
wall_time, 
user_time, 
system_time, 
executions 
FROM   osquery_schedule 
WHERE  upt_asset_id = '<asset_id>' 
AND upt_day = <upt_day> 
ORDER  BY executions DESC 
LIMIT  10;







    • Related Articles

    • Windows Forensic Analysis queries

      This article includes a  list of queries to conduct forensic analysis on Windows systems.  These are categorized into sections as -      processes,      services,      file system activities,     user login/session activities,     network traffic.   ...

    • Find Realtime queries executed in the last 24 hours

      This article includes the query to find all the real time queries that were executed in the last 24 hours Query WITH queries      AS (SELECT Json_extract_scalar(logs.api_body, '$.query')   AS query, ...

    • Tracing command execution back to a user across an ssh session

      Some IT shops have sysadmins logging into a Jumpbox or Bastion host (with their individual id’s) then logging into production servers as root and running commands. In such a case it can be difficult to trace command execution back to the sysadmin who ...

    • Query to find Inbound / Outbound connections on Mac

      Query WITH mac_assets AS (SELECT t.upt_asset_id FROM upt_asset_tags t WHERE t.key = 'upt-mac-edr') SELECT DISTINCT pos.upt_asset_id, ps.name, pos.pid, pos.local_address, pos.remote_address, pos.local_port, pos.remote_port, CASE WHEN pos.pid = lp.pid ...

    • High CPU Utilization Alert Query

      Query WITH cpu_incremental AS ( SELECT upt_asset_id, upt_hostname, upt_time, cpu_idle - LAG(cpu_idle) OVER (PARTITION BY upt_asset_id ORDER BY upt_time) AS cpu_idle, cpu_total - LAG(cpu_total) OVER (PARTITION BY upt_asset_id ORDER BY upt_time) AS ...