Has anyone worked on specific SQL to ensure a query only runs once? I know this could be accomplished with "ad-hoc" queries but maybe a normal query in the schedule with conditions on

last_executed

from the

osquery_schedule

table

I’m curious, what’s the use case for this?

Is there a reason ad-hoc queries are not a good fit? I think they were designed exactly for this purpose.

Mostly we don't have ad-hoc queries deployed across our fleet. It would require updating flags on 100s of 1000s of hosts.

Can you give an example of a query that you would want to only run once in this way?

a one time collection of shell history files

If you have deployed to hundreds or thousands of hosts, I would imagine the deployment is automated so adding an extra flag would be easy

Adding config - from a server - is easy, adding a flag in the flags file is more complex.