How do I clear performance stats user time average memory et osquery #general

How do I clear performance stats (user_time, avera...

Victor Lyuboslavsky

12/04/2023, 8:57 PM

How do I clear performance stats (user_time, average_memory, etc.) from

osquery_schedule

? I modified the

query

in my schedule (but the name remained the same), yet osquery is still reporting the old stats from the previous query. Is this intended? I expected the stats to reset if the actual query is now different. Relevant config:

Copy code

"packs": {
        "Global": {
            "queries": {
                "Get JetBrains Plugins": {
                    "query": "select * from time;",
                    "interval": 3600,
                    "platform": "",
                    "version": "",
                    "snapshot": true
                }
            }
        },

Stefano Bonicatti

12/04/2023, 9:02 PM

Unfortunately it only keeps track of the name: https://github.com/osquery/osquery/blob/master/osquery/config/config.cpp#L1021; since they are not persisted across restarts, that for now would be the only way

Victor Lyuboslavsky

12/04/2023, 10:06 PM

Would you be open to clearing the peformance stats if query was modified? I can open the issue and make the fix.

Stefano Bonicatti

12/04/2023, 10:13 PM

technically, I don't have issues. I guess you can do that in the config update function and then comparing the query strings? Not sure if there is some hidden reason that an end user would care about though. Also distributed queries might have the same issue.

Victor Lyuboslavsky

12/05/2023, 3:49 PM

I opened https://github.com/osquery/osquery/issues/8209

Victor Lyuboslavsky

12/05/2023, 3:56 PM

@Stefano A related question. Does osquery have persistent storage so that stats can persist across restarts? I see an open issue: https://github.com/osquery/osquery/issues/7694

Stefano Bonicatti

12/05/2023, 4:02 PM

No there's no persistent storage, the issue is still valid

Victor Lyuboslavsky

12/05/2023, 5:09 PM

Are we open to adding persistent storage, like a sqlite DB?

Stefano Bonicatti

12/05/2023, 5:10 PM

there's already RocksDB for that, where we buffer logs and so on

Stefano Bonicatti

12/05/2023, 5:11 PM

~~maybe~~ I misunderstood your earlier question, I thought you were asking if the stats were persisted, but osquery does have a form of persistent storage, with RocksDB

Stefano Bonicatti

12/05/2023, 5:14 PM

(I definitely read it wrong). If you check the previous link I gave, on the bottom of the function, there's a call to setDatabaseValue, which saves the fact that the query finished running

Stefano Bonicatti

12/05/2023, 5:14 PM

that's one of the functions that can access RocksDB

Victor Lyuboslavsky

12/05/2023, 5:17 PM

Ok, I'll update the issue.

Open in Slack

Previous Next