could someone confirm, what the --schedule_epoch c...
# generala
asparamancer
12/15/2020, 9:21 AMcould someone confirm, what the --schedule_epoch counter is/should be? The docs say a 64 bit int, and some articles give a unix time for it whereas other people says it's the number of times that query would run until it was reset
s
seph
12/15/2020, 11:54 AM
These are used in tracking diff queries.
The counter is the diff query count, and should be used for ordering.
The epoch is a mechanism for a site to reset the diff query state. Set it to whatever you want, change it as needed.
a
asparamancer
12/15/2020, 12:39 PMThanks, is it just any number? Or is it a unix time stamp, or the number of seconds until the diff should be reset?
t
theopolis
12/15/2020, 2:01 PM
Yeap, just any number of your choosing. Tools that integrate with osquery usually make use of this field.
s
seph
12/15/2020, 2:20 PM
There is nothing like a countdown, so it’s very much up to the tool. When I design systems like this, I usually use a unix time stamp. It’s easy, doesn’t require any coordination and is self documenting. But that’s not inherent.
a
asparamancer
12/15/2020, 8:47 PMah so it's just a reference marker?
asparamancer
12/16/2020, 12:30 PMcan ignore, have been testing and understand how it works now
t
theopolis
12/16/2020, 2:37 PM
Awesome!
5 Views