```Expiring events for subscriber: windows_events ...
# generalm
Mystery Incorporated
10/28/2020, 6:31 PM Copy code
Expiring events for subscriber: windows_events (overflowed limit 50000)z
zwass
10/28/2020, 6:34 PM
Looks like you are perhaps not actually selecting against the
windows_eventsm
Mystery Incorporated
10/28/2020, 6:58 PMMy query is select * from windows_events
Mystery Incorporated
10/28/2020, 6:58 PMBut seems to not be emptying the table
a
alessandrogario
10/28/2020, 6:59 PM
Ah I see, so you are using events; what's your --events_expiry set at?
m
Mystery Incorporated
10/28/2020, 7:00 PMIt seems I have not set an expirey which is likely mu problem
a
alessandrogario
10/28/2020, 7:01 PM
It shouldn't be a problem though, event optimization (default enabled) will not return the same data twice, so it won't log duplicates
m
Mystery Incorporated
10/28/2020, 7:01 PMor actually would it be a problem if i'm fetching the events every 10 seconds
a
alessandrogario
10/28/2020, 7:01 PM
That message is not an error, just an information
alessandrogario
10/28/2020, 7:02 PM
if you wish to use the same table from different queries, it's not ideal to expire everything on the first query
m
Mystery Incorporated
10/28/2020, 7:02 PMAh yes I see because data will be gone for query 2
Mystery Incorporated
10/28/2020, 7:03 PMbit somehow I am ending up with 50000 entries in the table
Mystery Incorporated
10/28/2020, 7:04 PMdoes osqueryi and osqueryd share same db?
a
alessandrogario
10/28/2020, 7:04 PM
that is normal, without expiration you will keep getting new events added at the end, and expiration will remove them from the start of the queue
alessandrogario
10/28/2020, 7:05 PM
once the max amount of events (--events_max), it will remove events on one side as new ones are added to the other side
alessandrogario
10/28/2020, 7:06 PM
when using scheduled queries + osqueryd, event optimization will make sure that only new events are added (i.e. you will only log new rows added since the last query)
m
Mystery Incorporated
10/28/2020, 7:06 PMso to alleviate that warning I should set max to say 49000 then?
a
alessandrogario
10/28/2020, 7:06 PM
osqueryi and osqueryd are separate
👍 1
alessandrogario
10/28/2020, 7:06 PM
it's not a warning, it's just an informational message
alessandrogario
10/28/2020, 7:06 PM
everything is working as intended
m
Mystery Incorporated
10/28/2020, 7:07 PMoverflowed is usually bad isn't it?
a
alessandrogario
10/28/2020, 7:07 PM
if you do not wish to query the same table from multiple queries, you can set the events_expiry so that the first query will remove them
alessandrogario
10/28/2020, 7:07 PM
no it's just telling you that it's performing the cleanup, nothing bad is happening
m
Mystery Incorporated
10/28/2020, 7:07 PMoh rightio
Mystery Incorporated
10/28/2020, 7:07 PMit's cleaning up at 50000
22 Views