Thinking about this line in the doc

Lambda is executed once per log line. As a result, queries with differential result logging might result in a higher number of Lambda invocations.

https://github.com/fleetdm/fleet/blob/0af5e161d07d46ce5e315c3a5ac4aa50ab4b0f39/docs/Using-Fleet/Osquery-logs.md I am looking at throwing together an s3 output and don’t really want to write one file per log line and would rather batch these.

Actually scrap all of this I went down a rabbit hole , one should use fluentbit as a sidecar and not rewrite core software

Some forwarder in a sidecar is a totally viable option as well.

However the use of fluentbit for example which can batch multiple log lines into a single file where processing is done via a lambda function can result in a significant reduction in invocations and costs as a result

I believe the actual problem I was looking to solve was how can I optimise siem throughput for cost over a separate goal of using S3 I personally got tunnel vision into sending S3 logs from fleet due to it supporting S3 as a file carving destination but the way logs are processed by the server would not lend itself to the benefit I would like to see without making foundational change s to fleets way of processing logs which in hindsight I don't believe are warranted