Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mystery Incorporated
12/02/2021, 5:07 AMHi all, what's the secret to getting the query performance impact instead of them all being undetermined?
And yet when I look at a pack on an individual host, literally every single query is marked as excessive, is that normal?
Doesn't the watchdog protect us from excessive stuff?
t
Tomas Touceda
12/02/2021, 11:13 AMhi there! the overall query performance is aggregated across all runs. You can check the logs and see if you find any occurrences of "err" and "aggregating"
r
Rachel Perkins
12/02/2021, 2:13 PMHi -- so it should show Undetermined if the query has never been executed, Minimal if the average usertime + the average system time is under 2000, Considerable under 4000 and Excessive if it's over that. Not really useful information if they're all Undetermined or all Excessive, or is it?
g
Gavin
12/02/2021, 5:54 PMThe behaviour I have seen is it’s only populated if it’s a live query vs content of a traditional Query pack
m
Mystery Incorporated
12/03/2021, 5:45 AMHi all, yes they are part of query packs. So I guess it says undefined in the main view because they are from a query pack? But when I look at each individual host, they all say Excessive