Hi there! I have a question about running differential queries in osquery and fleetdm. For example, when this type of query is run on a machine, where are the results saved for comparison? On the Osquery's or Fleetdm's side? I'm having a problem with a large amount of network consumption traffic (outbound and inbound) from fleetdm. Since I have a considerable amount of "Differential" queries, I think that the fleetdm could send the information back to the clients to get the differential value, and the clients send that information back. I found that my Fleetdm server is receiving 100GB of traffic data from agents, but only 20GB is logged in results.log and less in status.log. Thanks in advance,

is that a daily or monthly ingestion?

Daily ingestion

How many hosts do you have enrolled and roughly how many queries are you running on a daily basis?

There were 17 queries, every query had diffent times of execution, most executed every 5 min In total there is 9500 hosts

Differential queries are "diffed" on the local machine. Osquery stores the results in RocksDB and generates a diff before sending the logs.