In

file-format.md

docs:

# "additional" information to collect from hosts along with the host
    # details. This information will be updated at the same time as other host
    # details and is returned by the API when host objects are returned. Users
    # must take care to keep the data returned by these queries small in
    # order to mitigate potential performance impacts on the Fleet server.
    additional_queries:
      time: select * from time
      macs: select mac from interface_details

1. What is meant by "small" here? 2. How frequently do these queries get run by the hosts? Is there a way to specify intervals / reduce the intervals? <thread>

That data is added to the host's row in the db. So there will be performance impacts.

nods yeah that makes sense. I'm wondering if maybe it would have less impact to separate them into their own table / API endpoint / allow those queries to be run less frequently (say, once per day or something) 🤷 Or just in general if there's a good way to collect this data / expose it in a consumable way in fleet, but without being prohibitively expensive in terms of perf impact.

I mean. you can read the PR I think we talked about this 🙂

this one? https://github.com/kolide/fleet/pull/2236 I've read it, just trying to get some advice about this use case. I think what I'm hearing is I need to be careful and do my own testing. Which, to be fair, I would do my own testing before rolling this out to a large group of hosts eventually 🤷

I don’t know fleet super well, but can you do this by adding a pack?

Yes, but then I'm having to go look through Splunk (in my env) and try to just get the last results for a host. And some hosts might be offline for quite a while, which means the search might need to go back a long time. If this was in fleet, I'd get it "for free"

Yes, well…

This field is updated along with all the other host details. Configurable by https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#osquery_detail_update_interval.