Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

should osquery be sending results from different queries in one request to the /logger endpoint on TLS?

If so, is there a flag to stop this behaviour?

Yes. The results are batched up and sent together.

I suppose you could set `--logger_tls_max_lines` to 1 to get this, but then you'd likely be accumulating logs faster than they were flushing. I don't think it would work well.

only just saw this, it was an issue with our endpoint parsing things strangely