Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello, I was a little confused about how `epoch` works when it comes to distributed queries. I've tried looking through the documentation but it doesn't seem to be very clear, if `epoch` isn't set in the osquery configuration files then is it 0 by default? I'm asking because I'm trying to make differential distributed queries, but I keep getting results back with `epoch` and `counter` both set to 0 which seems odd.

Yes, it defaults to 0. Also distributed queries cannot be differential, they are essentially snapshots.

Oh dang, that's brutal. Is there some fundamental reason that distributed can't be differential, or is just a matter of that feature hasn't been written yet? I guess I'm confused because in Fleet there are definitely options for Differential, Snapshot, etc when configuring a pack to run. (Or am I mixing up my terminology?)

You seem to be mixed up. "distributed" is the term osquery uses internally for what most folks call "live queries".

Packs are separate from distributed... they run queries on an interval. That's where you get the differential functionality.