Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

It’s easy to run expensive queries. One thing to look at is the `osquery_schedule` table. <https://blog.kolide.com/profiling-osquery-performance-with-kolide-cloud-8e01097469db> has some info (and there are probably other blog posts about)

This post references wall_time, is wall_time the cumulative time the query has run across all executions? Or is this the time spent per each execution?

<@U9R9L3PCY> hey, i wrote that blog post - wall time is based on the last run

you can verify this by scheduling something expensive with a short interval, and querying `select name, executions, wall_time, user_time from osquery_schedule`

you’ll see executions and user time increasing, and wall time should remain about the same

woogs, after digging in the source, i was wrong on that, and i’ll have to update the blog - wall time is the difference between unixtimes, which can definitely be zero for fast queries

<https://github.com/facebook/osquery/blob/f9620a9f8be2e458086431ea9ee3d6a6e56c2d2a/osquery/dispatcher/scheduler.cpp#L72>

<https://github.com/facebook/osquery/blob/f9620a9f8be2e458086431ea9ee3d6a6e56c2d2a/osquery/dispatcher/scheduler.cpp#L93>

awesome! Thanks for taking a look, been trying to figure out how to interpret that data

i actually asked that same question a while ago and nobody picked up the nuance - i just wrote that knowing it was ‘milliseconds of execution time’

thanks for calling it out :slightly_smiling_face: