could someone confirm, what the --schedule_epoch counter is/should be? The docs say a 64 bit int, and some articles give a unix time for it whereas other people says it's the number of times that query would run until it was reset

These are used in tracking diff queries. The counter is the diff query count, and should be used for ordering. The epoch is a mechanism for a site to reset the diff query state. Set it to whatever you want, change it as needed.

Thanks, is it just any number? Or is it a unix time stamp, or the number of seconds until the diff should be reset?

Yeap, just any number of your choosing. Tools that integrate with osquery usually make use of this field.

There is nothing like a countdown, so it’s very much up to the tool. When I design systems like this, I usually use a unix time stamp. It’s easy, doesn’t require any coordination and is self documenting. But that’s not inherent.

ah so it's just a reference marker?

Awesome!