Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

My understanding of `wall_time` from `osquery_schedule` table is that it’s the unix time difference between the start and end of a query. However, does that imply it’s the difference of when the query was last executed? Further, `system_time` &amp; `user_time` are both milliseconds and I would have to divide by `executions`  to understand its performance profile?

Wall time is the period from the start of executing a query until the end, not last executed.

System and user time represent time scheduled on the CPU <https://en.m.wikipedia.org/wiki/CPU_time#Subdivision|https://en.m.wikipedia.org/wiki/CPU_time#Subdivision>