Hi sharing this proposal around making epoch and counter fields more consistent. I'd like to use the same osquery rules for both low latency streaming alerts and queries over previous snapshots by rotating the epoch every few days, but in the current state this could lead to either duplicate or missing alerts (depending if counter=0 events are ignored). This seems feasible to fix with a few small changes without messing up existing use cases - open to feedback people have on the idea 🙂