Hi is it possible to schedule a query with shorter interval (say 15 minutes) which will generate logs in differential format but also make this query generate log in snapshot format once in N days. I'm asking as there might be few instances whose state doesn't change much over a shorter period of time but we would still be interested in knowing the snapshot of some metrics once in a while. There's one epoch counter that is considered for logging data in differential format but I guess it would impact all scheduled queries. How can we or rather should we (as a best practice) reset this epoch counter to make osquery daemon log results in snapshot format ? Thanks

Why not just setup two scheduled queries? One diff, the other snapshot that runs every N days?

Yeah, this can be done for few queries. But when you want to scale this for say 50-100 queries, conf/packs would start to look messy with lot of duplicate queries. That's why I'm looking for more elegant way to achieve this. If this is not possible, we anyway have to duplicate the queries (But I would keep it as the last option 🙂 )

You can look at

schedule_epoch

, but I don't think it will fit your use case: https://osquery.readthedocs.io/en/stable/deployment/logging/#schedule-epoch