Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

hi, is there a way to have all scheduled queries run once on boot (or shortly thereafter) and then back off to a less frequent differential/snapshot interval?  Trying to solve the problem of visibility into short-lived cloud instances without overloading the query interval for ones that live longer.

my only idea here is to have an aggressive query schedule and then a cron job that reconfigures the scheduled queries after some time has passed to something less frequent

This is something we discussed recently and I've been meaning to file an issue for. Would you mind filing an issue to explain what the problem and desired behavior are?

<https://github.com/osquery/osquery/issues/7030>