At @alessandrogario, imagine the following rows from

osquery_schedule

| Pack | interval | executions | wall_time | avg_user_time | avg_system_time | avg_total_time | output_size | average_memory |
|Pack-query-processes-foo | 900 | 4 | 4705 | 805675 | 365865 | 1171540 | 0 | 0 | hostX |
|Pack-query-processes-foo | 900 | 5 | 5781 | 789994 | 363314 | 1153308 | 0 | 0 | hostX |

The query is configured to run every 900 seconds ( 15 mins), the

output_size

is 0, and the

average_memory

is 0 b/c osquery worker process reached its e.g. 750M memory limit. The running average user + system time is ~19 minutes (1153308 ms). The

wall_time

for the executions 4 & 5 was ~5 seconds. However, past executions were incredibly high thus skewing the running average. What best practices would you suggest?