Hello! I'm wondering how you solve the issue of not having a differential output at start up of a new server. We have auto scaling in AWS and new servers pop up all the time. If I just include osquery in the image so that it auto starts it will log added for every query the first time. This means that I get false positives in my logs since I'm getting full output instead of deviations from the baseline. Is there a nice way to solve this?

Ran into a similar issue, have been filtering out results where the counter is 0. https://osquery.readthedocs.io/en/stable/deployment/logging/#schedule-counter

Can you filter out the known “good” values in the queries themselves?

I would agree with both approaches above. @clong's has the advantage of reducing the total results logged, while Eric's requires no extra work up front.

Thank you for your input! Just filtering out based on the counter will work!