Does a snapshot query return result if the machine...
# fleete
Edward
04/30/2021, 9:45 PMDoes a snapshot query return result if the machine is not turned on?
z
zwass
04/30/2021, 9:50 PM
No, but scheduled query results are generated if the machine is turned on but not online. They will get sent up to the Fleet server when the machine is online again.
e
Edward
04/30/2021, 9:53 PMwhat do you mean by machine is turned on but not online?
Edward
04/30/2021, 9:53 PMlike not having internet?
z
zwass
04/30/2021, 10:07 PM
Yes
e
Edward
04/30/2021, 10:33 PMgotchat thanks!
Edward
05/03/2021, 3:23 AM@zwass, question, how can I filter out the snapshot results that are from (machine is turned on but not online) in the scheduled snapshot query pack results? Is there a particular query that I can run that can tell me whether a machine is turned on and is connected to internet atm? I want to filter these "false positives" out of my query pack result set.
m
mikermcneil
05/04/2021, 4:57 PMWhen a host is offline, scheduled query results are buffered locally by osquery, then replayed to Fleet when it comes back online.
So I don't think these would be a source of false positives per se-- but what do you mean by "false positives"?
2 Views