Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I’ve run into an odd issue, where my scheduled query to retrieve installed packages (`select * from deb_packages;`) is not logging any results. Other queries in the same pack with the same platform targets and schedule return results. Additionally, the `osquery_status` log confirms the query is executing on the intended schedule. Running the same query against the same host in the Fleet UI works. Does anyone have any ideas what may be wrong, or where I can look for more info to troubleshoot this?

Figured it out. Seems to be a size limit in GCP Pub/Sub. Their documentation indicates a max message size of 10MB though, which my `select * from deb_packages` should be way under.

Or is it possible that you scheduled it in differential mode and nothing is changing?

Ah, turns out to be an undocumented ingestion limit on our logging platform. Not an issue with Fleet or PubSub