Title
#general
i

Ivanlei

04/29/2020, 5:58 PM
Has anyone worked on specific SQL to ensure a query only runs once? I know this could be accomplished with "ad-hoc" queries but maybe a normal query in the schedule with conditions on
last_executed
from the
osquery_schedule
table
sundsta

sundsta

04/29/2020, 6:01 PM
I’m curious, what’s the use case for this?
terracatta

terracatta

04/29/2020, 6:03 PM
Is there a reason ad-hoc queries are not a good fit? I think they were designed exactly for this purpose.
i

Ivanlei

04/29/2020, 6:03 PM
Mostly we don't have ad-hoc queries deployed across our fleet. It would require updating flags on 100s of 1000s of hosts.
defensivedepth

defensivedepth

04/29/2020, 6:05 PM
Can you give an example of a query that you would want to only run once in this way?
i

Ivanlei

04/29/2020, 6:05 PM
a one time collection of shell history files
6:05 PM
as an example
sundsta

sundsta

04/29/2020, 6:07 PM
If you have deployed to hundreds or thousands of hosts, I would imagine the deployment is automated so adding an extra flag would be easy
i

Ivanlei

04/29/2020, 6:15 PM
Adding config - from a server - is easy, adding a flag in the flags file is more complex.
6:16 PM
oh wait...
disable_distributed
doesn't need to come from the flags file but can be server config
6:16 PM
um... nvm
6:17 PM
thanks for talking me thought that @defensivedepth & @sundsta