hey folks - I'm running a distributed query against the yara table. If I use a simple yara rule file it works fine, but when I try a large rules file it always returns 0 results (but doesn't "fail"). I tried running the same query with osqueryi and it works as expected. Is there an issue dealing with large yara sig files via distributed? Seems weird. query is like this: SELECT * FROM yara WHERE path="/root/test" AND sigfile="/root/rules/good.yar";

This is an interesting one... do you get the results if you schedule that same query via Fleet?