Hello! Does Kolide Fleet’s distributed query feature have a default timeout?

No. Queries will remain "active" (eg. will be executed on any targeted host that hasn't yet executed it) as long as the results page is open (or

fleetctl query

is still running).

It might be nice to add a timeout parameter to fleetctl

Can you tell me more about the use case/file an issue?

@zwass we have a fairly large macOS fleet (1500+) and when running a distributed across the fleet we’d like to be able to only hit hosts that are online rather than Kolide attempting to query all hosts it’s aware of. I presume when using a distributed query Kolide attempts to query offline hosts as well?

Are you using fleetctl or the web UI?

webUI @zwass

I have a similar situation. I’d like to be able to automate using queries using fleetctl. Having it sit and spin forever makes that challenging

I can see adding the timeout to fleetctl so that it can be used for automation. @harveywells Can you help me understand better what the use case would be int the web UI?

@zwass just for a faster feedback loop. Some distributed queries have taken up to an hour to complete. We can take note of the online clients and stop the query once the appropriate amount of records have been returned but it would be nice for Kolide to handle this for us. +1 to @leadZERO’s idea of adding a timeout to

fleetctl

for query automation.

I am convinced of the value of this for the

fleetctl query

command, and I think it will be pretty easy to implement. I created an issue to track that (https://github.com/kolide/fleet/issues/1987). If you are interested in similar functionality for the web UI, I would need to better understand what use case it enables that is not otherwise served.