Also Live query seems to end after a certain time even if all hosts dont respond. Is there a config to increase this time?

Hi Smaran, you can adjust the environment variable "FLEET_LIVE_QUERY_REST_PERIOD" to modify the time that the query will wait for the host to respond. The default is 25 seconds. Please be aware that adding time to this variable could cause performance issues.

Tysm! the docs say that the live query ends if the hosts either timeout or are offline. I am trying to load-test the live-query functionality (specifically calling the distributed write api) to see its impact on redis cpu usage. My current approach has been to create non existent hosts by calling the enroll api and using that node key. But these fake hosts are offline so they live query is ending as soon as the real hosts respond. Could you please guide me to whihc specific API to call periodically to make the host appear online Alternatively if you could suggest a better way to load test the live query functionality, your insight would be deeply appreciated

Hi Smaran, here is a document with more information on how live queries work. Since the non-existent hosts you're creating via API aren't able to communicate with the Fleet server, they will always appear as offline and be skipped by the live query functionality. I would recommend spinning up some small virtual machines and enrolling them in Fleet to test the live queries.

Thank you for your response! Since we want to test for 35K hosts, VMs wouldn't be feasible. I have found that repeatedly calling the distributed write API keeps the nodes alive. The live query functionality seems to allow the distributed write to be called multiple times on the same node_key and it shows up as duplicate records in the live query is completion is check based on count alone. As in, for eg, if I perform a live query on a cluster of 5 hosts and if only host#1 called dist write with the correct fleet_distributed_query_<campaign_id> 5 times it considers the live query to be complete even thought the 5 separate hosts themselves didnt respond. By sending more requests I was able to have more than 100% hosts responding too Right now the approach I have in mind is to create a lot of fake hosts using the enroll api, keep one host online by pinging an empty distributed write call and load testing using a single node key and this should work as long a s the total requests sent is less than the total number of hosts (including fake ones) Another interesting thing I found is that the fake hosts enrolled using just enroll_secret and host_identifier which show up with no info on the ui (see pic) seem to be auto deleted after a few hours. Im not sure if this is some background task of fleet but it is a convenient behaviour for me

Let me ask some of my colleagues to see what we do for load testing.

Tysm!

I think this tool may be helpful. Let me know what you think.

This is Perfect! Thank you so much

You're very welcome!

Hii, I'm trying to run the osquery-perf tool mentioned here and it gives this error:

2025/03/19 03:12:52 deviceClient.CheckToken:  missing or invalid license

and the following is the result when I try to call the same api:

{
  "message": "Requires Fleet Premium license",
  "errors": [
    {
      "name": "base",
      "reason": "Requires Fleet Premium license"
    }
  ]
}

Glad to hear!