thanks for the replies. So the sql queries are hitting rocksdb to fetch the data ?

Mostly no. Tables named

_events

are hitting rocksdb for the data. Everything else generates it on-the-fly. See "Virtual Tables" and "Event System" in the above linked article.

Oh, so the only way to get the history is looking at logs (added, removed etc). I was thinking osquery is like a timeseries which collects metrics and stores in rocksdb