dose the osqueryd return the osuqery results inte...
# generalu
钢铁侠
11/06/2018, 3:54 AMdose the osqueryd return the osuqery results interval as you define in the schedule? what's your meaning of "is it generally considered good practice to limit scheduled queries to return results only for the period since the last time the query ran"? @shed7
s
shed7
11/06/2018, 8:27 AMThe queries return fine, it was just a general question about how to do scheduled queries. For example a scheduled query that joins rows from socket_events and process_events every 30 seconds, should itbalso have a WHERE clause restricting the results being joined to only those that were generated since the last query ran 30 seconds ago? But then I see the audit_expiry flag that when set to 1 means results will only last one query, so maybe it's not needed.
u
钢铁侠
11/06/2018, 9:35 AMyeah,you can have a WHERE clause like this "WHERE time > strftime('%s','now')-360"
钢铁侠
11/06/2018, 9:36 AM钢铁侠
11/06/2018, 9:36 AMand I do't find the audit_expiry flag
钢铁侠
11/06/2018, 9:38 AMmaybe what you say is the events_expiry flag?
s
shed7
11/06/2018, 3:59 PMah yes, that's what I mean, sorry
u
钢铁侠
11/07/2018, 6:05 AMnever mind
4 Views