Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mike Myers
04/22/2021, 5:49 PMCreating many SST files was a problem with an earlier version of osquery, are you running a recent version?
j
Juan Alvarez
04/22/2021, 5:52 PMwe are running 4.6.0
saw that before github issue before but i understood it would not apply to 4.6.0
t
theopolis
04/22/2021, 6:07 PMAre you comfortable sharing your db with me to debug?
j
Juan Alvarez
04/22/2021, 6:11 PMi cant share it unfortunately 😞 Is there any steps i could take to debug?
we have seen that at some point we created many powershell_events that were included there (pretty big ones). I have disabled powershell_events now, but would that not cleanup de db?
that table was never queried, tho it was enabled in the flags
t
theopolis
04/23/2021, 1:06 PMThat could be it, osquery will store the last 50k by default then start removing batches
j
Juan Alvarez
04/23/2021, 1:12 PMolder SST files do never get deleted? or should it remove them?
finally, i reproduced the symptoms locally and uploaded a database dump, i have created this: https://github.com/osquery/osquery/issues/7079
🆒 1