Hi! I'm getting

distributed query is denylisted

on Fleet console while querying hosts. I was looking for info on why is this happening but what I've found seems a little bit confusing to me. Can anyone explain me why is this caused and how can this be solved or if there's a way to mitigate that? Thanks in advance!

are you running other scheduled queries, the deny list is like a watchdog that ensures osquery doesn't eat up compute in a bad way. This is to be expected and shows that it is working Are you getting this across every host, or just some?

Hey @tlark I was querying multiple hosts and yes, I'm running other scheduled queries. I was getting the error for several hosts but not all of them for sure. This was the first time I'm seeing this as I've been running a lot of more expensive queries (imho) in the past and this never happened. Is there away to monitor how much resources the queries are using other than the impact shown?

yeah you can monitor the deny list itself to see when the watch dog does this, a query like this can monitor I think

SELECT * FROM osquery_schedule
where denylisted = 1;