I'm looking at results from a query and it contains

"action": "removed"

does this mean that it was removed from the table in osquery?

That's differential format, instead of snapshots. There should be docs.

I was reading the paragraph on schedule results where the action denotes a state change. the example provided makes sense, it'll log a state change when the process changes (new PID). This makes less sense to me when I see

"action": "removed"

as a part of querying a target for packages.

Why? Was the package removed? Did the version change?

That was the weird part, the only thing that changed was we were testing a sql query to streamline getting packages. Will look into batch log format.

Batch is still diffs, but they're grouped into a single message