Is there a different way I can approach troubleshooting this?

Use

--tls_dump

on the osquery invocation and see what config it is pulling down.

so it looks like there was a typo in the decorator query (my b), but somewhere between

fleetctl apply

and the host instance getting the config, it silently fails.

Have you checked the osqueryd logs? Seems like it would show up there, especially if you add the

--verbose

flag

I did, didn't seem to see anything there, could be that the config doesn't get pulled down right away after every service restart, and is defined by

config_refresh