Hi I m trying to use the schedule epoch flag but it doesn t

Question

Hi I m trying to use the schedule epoch flag but it doesn t work as I expect First of all does the value passed by schedule epoch flag to osquey represent the time expressed in seconds between an epoch to the next one or is it like an identifier of a specific epoch scheduling a differential query with `interval 10` What I would like to achieve A first query to store initial results for the new scheduled query some rows with `action added ` if the query detects some changes every 10 seconds the field `counter` is increased each time a query is executed in this epoch After 600 seconds 10 minutes the epoch changes counter is reseted to 0 and a new first query to store initial results the rows with `action added ` mentioned before is executed

seph · Answer

The schedule epoch is an arbitrary string that is used to reset the counter and diff results

seph · Answer

First diff results is inherently a full set Subsequent diffs are based off that

seph · Answer

Changing the epoch causes a new set of diffs

seph · Answer

Note that it s an arbitrary string not an increment or decrement Also that the epoch is for the entire device not a specific query

seph · Answer

I think that s the behavior of counter it is incremented when there are results to send Not when the query is executed this was a change sometime in 4 x

seph · Answer

osquery does not have functionality to change the epoch That s the responsibility of the TLS server Note that as its host wide changing it every 10 minuntes may not be desired

seph · Answer

Depending on your needs another approach is to schedule both snapshot and diff queries They re good for different things but exist apart from eachother

Bacarus · Answer

Perfect thank you for your explanation I confirm your thought the counter is increased only when there are results to send I ve just tried it with osquery 4 8 0