Hello, I wrote a couple extensions for OsQuery that have long run times as much as 30 seconds. When scheduling them to both run every 300 seconds in a pack, they sometimes run at the same time, or at least overlap. Is there a way to guarantee ALL scheduled queries are run serially, and never at the same time? Thank you

i don't think it is possible; you could try using different timers but it's not guaranteed it's enough to avoid that situation

I may have found a fix by instead of using a pack with multiple individual queries, into a pack that calls a single combined query. By combining all the individual queries int a single query, they each run in series. This is obviously not optimal as it will only work if you want all the queries to run in the same interval of say every 5 minutes. If you want an addition query to run every 1 minute, there is potential for that 1 minute query to run at the same time as a 5 minute combined query. IMO there should be logic in OsQuery to not execute a query in a pack until any other queries have already completed. IE a Queue. I know most of what OsQuery does out of the box is pretty instant, and this problem I have is pretty much non existent, however, OsQuery is designed to run custom extensions, and users like me need to run longer running queries.

I think this is a design issue inside the extension; additionally, I'm not sure that SQLite itself actually likes when tables locks inside virtual tables (it's not something it was made for)

I don't think there is a way for the extension to check if another query is already in progress

queries should return data that is ready

If you have multiple records with millions of records, and you have to do joins, it will take time to gather the data. Having a long running querie is no different IMO. I'm not asking for OsQuery to support longer running queries, I'm stating that OsQuery should not run queries at the same time. That would just happen to resolve my issue 🙂

and in another table save the data that has been produced

The extensions I'm writing are not the standard use case. We use OsQuery to report the health of the Client, including network access. IE the client is currently utilizing CPU/Mem/HDD, and running a speedtest has so much bandwidth available. We compare what clients are doing at each site to determine if there is a problem at a specific site as compared to others. Yes, this technically goes beyond the scope of OsQuery, but again, OsQuery is designed to be extended

(otherwise, even if the schedule is serialized, the user can still lock your extension/osquery if more than one heavy table is referenced in the same SQL query)

It's not a lock if it's scheduled. IE before query is executed from a pack, ensure no other queries are currently active

i don't think it matters whether the query is scheduled or not; regardless, when the query hits the table everything is inside SQLite

Again, OsQuery manages when a query hits the table. It manages the schedule of a pack and when the query in that pack runs, IE every 300 seconds. It can certain have logic to state, it's time for the next interval to execute. Are all other complete? If so run

delaying queries like that is just a hack that will fall short as soon as multiple ad-hoc queries are run

That is true. ad-hoc queries would throw a wrench in that scenario

yeah, same for SELECT FROM heavy_table1 JOIN heavy_table2 JOIN heavy_table3

My use case is pretty unique. I doubt others are facing the same issue, otherwise there would probably already be a feature request. My initial question has been answered that OsQuery will run scheduled queries at the same time. I was hoping the answer was no

like providing a new table that contains a boolean for each running generate() in your extension

hmm, that's an interesting approach.

so that metadata table would contain a row for each busy table

I can just add a variable in my extension that keeps track. Would be easier if there was a way to query OsQuery for running queries 🙂

and everything else is handled as events

Well again in my case, I am doing speedtests. The reason I want it serialized is I don't want 2+ speedtests running at the same time. That affects the total throughput available. If it was just a case of long running queries, it wouldn't matter as the query would just report when it completed

this is usually handle with caching

caching wouldn't help if I have a pack with 5+ individual queries that are scheduled to run every 300 seconds. Each speed test would run at the same time which would cause invalid results

the HIDDEN column will not show up in SELECT statements unless directly queried

To be clear, I am running 5 different tests in my queries. IE select * from speedtest where dc = 1, and select * from speedtest where dc = 2. When executed, it runs an iperf like test to the specified DC. If both of these queries are running at the same time, the throughput for each query is cut in half

if the table is the same, a more sqlite/osquery friendly approach would be to remove the WHERE

We want to monitor the bandwidth the client has to each DC. When scheduling one to run every 300 seconds, and the second every 330, there is still potential for overlap

so one row per DC passed via configuration

I have a workaround by having a single query select * from speedtest where dc = 1 select * from speedtest where dc = 2 .... With this single saved query, each is executed in series and resolves the problem of having them in separate saved queries which would be called at the same time by the pack