Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-18 22:49:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 86
fleet/schema/tables/system_profiler.yml
Zach Wasserman bfd0758922
Refine system_profiler table examples and description (#34053) 
Updated examples in system_profiler table to reflect correct JSON
extraction paths and added new example for collecting audio devices.
Enhanced the table description for clarity.
2025-10-10 15:56:49 -04:00

96 lines
2.9 KiB
YAML
Raw Blame History

name: system_profiler
description: |-
The system_profiler osquery table collects data from the macOS system profiler utility and returns it in JSON format.
examples: |-
Collect Mac Activation Lock Status:
```
SELECT json_extract (value,'$[0].activation_lock_status') AS activation_lock_status
FROM system_profiler
WHERE data_type='SPHardwareDataType';
```
Collect Mac Hardware UUID (platform_uuid):
```
SELECT json_extract (value,'$[0].platform_UUID') AS hardware_uuid
FROM system_profiler
WHERE data_type='SPHardwareDataType';
```
Collect Mac Serial Number:
```
SELECT json_extract (value,'$[0].serial_number') AS serial_number
FROM system_profiler
WHERE data_type='SPHardwareDataType';
```
Collect Audio Devices:
```
SELECT each.value->>'_name' AS name, each.value->>'coreaudio_device_manufacturer' AS manufacturer
FROM system_profiler sp, JSON_EACH(sp.value->'[0]._items') each
WHERE data_type = 'SPAudioDataType';
```
notes: |-
The macOS system_profiler binary reports on the hardware and software configuration of a Mac. It generates detailed, plain text, XML or json reports which can be exported from the Terminal or generated as .spx files and read by the macOS System Information.app based on "data types".
The system_profiler output is a rich source of data containing unique, per device hardware and software attributes which have many uses for enhancing Mac management.
The following data types are available from the system_profiler binary as of macOS 26:
- SPParallelATADataType
- SPUniversalAccessDataType
- SPSecureElementDataType
- SPApplicationsDataType
- SPAudioDataType
- SPBluetoothDataType
- SPCameraDataType
- SPCardReaderDataType
- SPiBridgeDataType
- SPDeveloperToolsDataType
- SPDiagnosticsDataType
- SPDisabledSoftwareDataType
- SPDiscBurningDataType
- SPEthernetDataType
- SPExtensionsDataType
- SPFibreChannelDataType
- SPFirewallDataType
- SPFontsDataType
- SPFrameworksDataType
- SPDisplaysDataType
- SPHardwareDataType
- SPInstallHistoryDataType
- SPInternationalDataType
- SPNetworkLocationDataType
- SPLogsDataType
- SPManagedClientDataType
- SPMemoryDataType
- SPNVMeDataType
- SPNetworkDataType
- SPPCIDataType
- SPParallelSCSIDataType
- SPPowerDataType
- SPPrefPaneDataType
- SPPrintersSoftwareDataType
- SPPrintersDataType
- SPConfigurationProfileDataType
- SPRawCameraDataType
- SPLegacySoftwareDataType
- SPSASDataType
- SPSerialATADataType
- SPSPIDataType
- SPSmartCardsDataType
- SPSoftwareDataType
- SPStartupItemDataType
- SPStorageDataType
- SPSyncServicesDataType
- SPThunderboltDataType
- SPUSBHostDataType
- SPNetworkVolumeDataType
- SPAirPortDataType
Because this table returns JSON values, the [SQLite JSON functions](https://sqlite.org/json1.html) are useful for parsing and transforming results.
Reference in a new issue View git blame Copy permalink