Views
Sometimes it's useful to take a query and save it as a new table. This new table will update with changes to the base tables and you can then query the new table. These are views and osquery both supports them (because it's built with SQLite) but provides a configuration file key to create them.
"views" : {
"screenshots" : "select time, trim(SUBSTR(cmdline, instr(cmdline, ' /'))) as path, euid, egid, uid, gid, auid, cmdline from process_events where path like '%screencapture%';"
},
This view is taken from the guide on screenshot auditing using this view would be of limited use unless you have process auditing configured, but you can see how a complex query can be broken up into smaller chunks, then be reused as views.
A simple view example might be:
"views" : {
"downloaded_files" : "select * from file where directory like "/Users/%/Downloads/"';"
}
Now you can select * from downloaded_files anywhere you would have used that subquery.