Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
packetzero
12/20/2018, 6:54 PMi was going to rig up a script to parse schedule and packs in config and determine the ideal event_expiry. Before I do, has anyone already done this?
u
钢铁侠
12/21/2018, 7:26 AMso how can you get the ideal event_expiry by parse schedule and packs in config?
p
packetzero
12/21/2018, 2:58 PMideal is probably the wrong word. I guess the 'minimum' is what we are looking for. Ideally, the event_expiry=1 so they are expired right after SELECT-ing them. However, you may have several queries referencing an event table, you have to consider their intervals, and how long the queries take, and the 'events_optimize' behavior.