Hello, I was a little confused about how

epoch

works when it comes to distributed queries. I've tried looking through the documentation but it doesn't seem to be very clear, if

epoch

isn't set in the osquery configuration files then is it 0 by default? I'm asking because I'm trying to make differential distributed queries, but I keep getting results back with

epoch

and

counter

both set to 0 which seems odd.

Yes, it defaults to 0. Also distributed queries cannot be differential, they are essentially snapshots.

Oh dang, that's brutal. Is there some fundamental reason that distributed can't be differential, or is just a matter of that feature hasn't been written yet? I guess I'm confused because in Fleet there are definitely options for Differential, Snapshot, etc when configuring a pack to run. (Or am I mixing up my terminology?)

You seem to be mixed up. "distributed" is the term osquery uses internally for what most folks call "live queries".

Got it, thank you!