Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
asparamancer
12/15/2020, 9:21 AMcould someone confirm, what the --schedule_epoch counter is/should be? The docs say a 64 bit int, and some articles give a unix time for it whereas other people says it's the number of times that query would run until it was reset
s
seph
12/15/2020, 11:54 AMThese are used in tracking diff queries.
The counter is the diff query count, and should be used for ordering.
The epoch is a mechanism for a site to reset the diff query state. Set it to whatever you want, change it as needed.
a
asparamancer
12/15/2020, 12:39 PMThanks, is it just any number? Or is it a unix time stamp, or the number of seconds until the diff should be reset?
t
theopolis
12/15/2020, 2:01 PMYeap, just any number of your choosing. Tools that integrate with osquery usually make use of this field.
s
seph
12/15/2020, 2:20 PMThere is nothing like a countdown, so it’s very much up to the tool. When I design systems like this, I usually use a unix time stamp. It’s easy, doesn’t require any coordination and is self documenting. But that’s not inherent.
a
asparamancer
12/15/2020, 8:47 PMah so it's just a reference marker?
can ignore, have been testing and understand how it works now
t
theopolis
12/16/2020, 2:37 PMAwesome!