Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi, i have a question on how the buffer for evented tables work in Osquery (in this case windows events for the example).

If i have an agent running with the event pub/sub enabled, and at a point in time i start a scheduled query to `windows_events` table, will I get the events from the time the agent was started or from the time the query was created? Thanks in advance.

When enabling an event publisher, that will start collecting events and saving them in RocksDB immediately, so basically at the osquery start.
Then when the query runs, you will get all the buffered events that you didn't receive yet via that query (or that aren't expired).