Hello, I have a question about osquery timed query and differential query.As shown in the figure below, I'm not sure why the 12:14 log was generated, because in my assumption, the 12:14 query did not differ from the 11:14 query in the last hour (here, the contents were "columns"). If there was no difference, then the 12:14 query should not exist, right?

I see a difference in

start_time

. Not sure why that would be though.

Do you think a change to start_time will result in a new log result?

Any change to a row will result in that row being logged. The thing I don't understand is how the start time could have changed on what looks like the same process.

I wonder if ntpd ran and updated the time on the system by a small offset. I’m guessing the start time is relative to the boot time of the system.

I wonder if osQuery's surge mechanism is the cause

I was thinking something along the lines of what @theopolis described. In any case osquery is expected to output a diff if the result changes, which it did.