quick question I have a query scheduled with differential ev

Question

quick question I have a query scheduled with differential every 1 min The result of the query are PID cmdline but why it sends 1 new log every 60 seconds shouldn t be the same everytime and only receive the first one

Kathy Satterlee · Answer

Can you use the <https fleetdm com docs using fleet rest api get schedule|REST API> to grab the schedule s information and post here with anything you re concerned about sharing redacted

Kathy Satterlee · Answer

And just so I know I ve asked are you looking at your status logs or result logs

Tarek Talaat · Answer

I look at result logs

Tarek Talaat · Answer

I monitor the result logs and it keeps receiving every 60 seconds

Kathy Satterlee · Answer

I figured but had to make sure I checked

Tarek Talaat · Answer

this is the config for my schedule

Tarek Talaat · Answer

and this is the query I m using select SELECT pr parent from process events as pr where pr cmdline like stuff as ppid pe cmdline from process events as pe where pe pid = ppid limit 1

Kathy Satterlee · Answer

Just want to be certain we re looking at the right schedule there It shows a 900 second frequency Is there any chance you have multiple schedules set up for the same query

Tarek Talaat · Answer

I made it 900 seconds because it was keep sending the same result when I had it 60 seconds But no I don t have another schedule for the same query

Kathy Satterlee · Answer

Got it Let me look into this a little bit and I ll get back to you Since it s a little late in the day I may not have more information for you until tomorrow

Tarek Talaat · Answer

Sure thank you

Rachel Perkins · Answer

Hey Tarek sometimes differential responds with a single add or remove line can you try Differentials ignoring removals <https osquery readthedocs io en stable deployment logging differential logs>

Tarek Talaat · Answer

I can try thank you

Tarek Talaat · Answer

Same result I keep getting result every 1 or 2 minutes depend on how I set up the time Same log is being sent every 2 minutes The log has only PID and cmdLine nothing else Not sure how this is treated as a new log every time

Rachel Perkins · Answer

Hmm what type of information are you trying to receive with running a differential query on an events table

Tarek Talaat · Answer

I m getting a process id PID and cmdLine from it

Tarek Talaat · Answer

so I assume it should be the same PID and same cmdLine every time it runs and I need to receive only one copy of it as long as it s the same PID and cmdLine

Kathy Satterlee · Answer

If you look at the data in the logs what kind of changes are you seeing

sharvil · Answer

AKAIK `differentials` don t apply to evented tables `process events` in this case they behave the same way as snapshot

Tarek Talaat · Answer

oh interesting

Tarek Talaat · Answer

didn t know that

Tarek Talaat · Answer

so in that case how long should I have my query scheduled for so the previous event is not returned In another words how long does it take for the event to be flushed from the local machine

sharvil · Answer

Generally for ` events` tables by default events are buffered locally for 24 hours but that buffered is cleared when selecting from that table The query you are using above might complicate this a bit since there is a subquery to the same `process events` and there is a `like` constraint on the table can you try to explain what that query is trying to do maybe there is a better way to structure that query

Tarek Talaat · Answer

Hello sharvii thanks for your reply What I m trying to do is finding a certain command cmdLine and get the parent file that executed this command Please let me know if there is a better way of doing this Assume a file called test sh executed a command called ifconfig then I need to get the test sh file by finding the command it executed ifconfig