Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I am making a curl request to `<http://portquiz.net:1234|portquiz.net:1234>`
If the osquery db and osquery pid is in `/tmp/`  folder, I see some inconsistency in the number of record in `socket_events` table
Sometimes there is only 1 entry and sometimes there are 2 entries for every curl request
If I change the path to a permanent location then I see only one entry per curl request

How many tests have you run? I’d recommend trying 1000 to 10000 times using the permanent location first. The Linux audit system that provides the data for this table is not lossless. I suspect confounds in the OS and audit vs. a bug in the handling of DB and pidfile placement.

I have run it 3-4 times and the results are inconsistent
Let me look into it

test_1595233980233.csv

This is what I was facing on mac system
osquery is managed remotely with config plugin as tls
There is a query for table `socket_events`  named `mac_sockets_query`
Everytime this query is changed, I am getting an extra events in socket_events table
 It started with 1 and then increased to 6 events per curl request. Attached csv has data for two curl requests
and 1st time count was 5 and second time it was 6.