List available tables: .tables — browse schema for a specific table: .schema processes
Query running processes: SELECT pid, name, cmdline FROM processes WHERE name LIKE '%python%';
Find processes with open listening sockets: SELECT DISTINCT p.name, l.port, p.pid FROM listening_ports l JOIN processes p USING (pid) WHERE l.address = '0.0.0.0';
Run a one-shot query from the command line: osqueryi --json "SELECT * FROM users;"
Known gotchas
osquery table availability varies by platform; tables like launchd and kernel_extensions are macOS-only while others like registry are Windows-only — consult the schema at osquery.io/schema before writing cross-platform queries.
osqueryi runs queries against a snapshot of system state at query time; it does not watch for changes in real time — use osqueryd with scheduled queries for continuous monitoring.
Joining large tables (e.g., processes JOIN open_sockets) can be slow on busy systems; add WHERE filters to narrow results before joining.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp