Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

When it says last fetched for each osqueryd agent, is that the value of osquery_detail_update_interval ?

I notice that osquery_detail_update_interval is defaulted to 1hr, when I set it to `osquery_detail_update_interval: 25m` the refetch rate doesn't seem to change is that expected or not? it's not clear.

Last fetched is based on when the queries were actually last run. The update interval is how often they should run.

<@U0JFM04MS> do you mean on demand queries? So I shouldn't see a refetch unless I run an on demand query is that right?

No. The host "vitals" are retrieved via the same mechanism that live queries use, but they are initiated automatically by the Fleet server any time the vitals are older than the configured interval.

<@U0JFM04MS> hmm ok what is the setting for the interval might I ask? Because my live query interval is 90 seconds and I have hosts not being refreshed for at least an hour, and my config_refresh interval is 25 minutes

```        logger_plugin: tls
        config_refresh: 90
        pack_delimiter: /
        logger_tls_period: 5
        distributed_plugin: tls
        disable_distributed: false
        logger_tls_endpoint: /api/v1/osquery/log
        distributed_interval: 95
        distributed_tls_max_attempts: 5
        osquery_detail_update_interval: 25m```


^ This is my current config and I am seeing hosts saying last checked in an hour ago

<@U0JFM04MS> I would have thought osquery_detail_update_interval was the one with which osquery would check in with refetched details?

`distributed_interval` is a flag on osquery. It's how often osquery will make a distributed query request to Fleet. `osquery_detail_update_interval` is a flag on Fleet. It's how often Fleet will respond to a distributed query request with the detail queries. Does this help clear things up?

<@U0JFM04MS> actually I think I understand what you mean, osquery_detail_update_interval tells osqueryd on the next distributed query checkin to reply with the details? That is what you mean right?

Yes I see I found it on the old kolide doco with google <https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md>

What does --osquery_label_update_interval do??? What is a label query I never even heard of such a thing?

Ok yes I see that it is refetching in ~25m intervals now

Still don't know what a label query is lol

Current docs: <https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/2-Configuration.md>

Heh yea just seems unfortunate that Google takes the old doco as canonical and doesn't seem to update paths with the new doco. I guess I could and should search the repo directly. But I still don't know what a label query is :/

Ah I see now, I was completely missing the label button in Fleet UI. I see, it groups hosts into a label using a query result. Got it.