Are labels a way to create smart groups of machines Or is it

Question

Are labels a way to create smart groups of machines Or is it a run once kind of feature I set up a label called Currently connected to USB Device with the following SQL ```SELECT path FROM mounts LEFT JOIN block devices ON mounts device = block devices name WHERE block devices type= USB ``` It correctly added my machine to the label but after removing the USB it hasn t updated The wording on your website implies that you can use labels to dynamically detect which machines are running vulnerable software

zwass · Answer

Yes labels update dynamically By default this happens every hour <https github com kolide fleet blob master docs infrastructure configuring the fleet binary md osquery label update interval>

zwass · Answer

Even if you set that to a low interval you still won t have immediate execution of a query on the machine The machine has to request a new config again after the label update

zwass · Answer

Is your query resource intensive Is there a reason you can t schedule it on all machines

Seán O&apos;Halloran · Answer

I m just trying to plan it out I was thinking maybe I could do more resource intensive queries like hashing every file if I could limit the blast radius to just machines violating our USB device policies

sundsta · Answer

You can do that with labels

zwass · Answer

You may not need labels if you craft the query to only generate hashes of files on removable drives