is there any difference in the queries for policies and live queries?(i assume no) I am running a query to remove certain test hosts from a policy and the host keeps showing up. when i run a live query, it does not show but when i run the same query in the policy editor, the host "penguin" keeps showing as a failed policy. Do i need to save and let the policy run again to clear previous results? is there a better way to do this rather than join these tables? i tried doing via the uuid thinking maybe it was a hidden attribute since the host name always shows in the results for any table. thanks in advance for any assitance

SELECT * FROM deb_packages
full outer join system_info
WHERE system_info.hostname not like 'penguin' AND name LIKE 'REDACTED_DEB_NAME...' AND status='install ok installed'
limit 1;

Policies are updated based on the interval you have set in Fleet. Does that policy still show as failing after that interval has passed?

If the host returns no results for a policy, that host will show as "failed" in the UI. As Kathy said, it updates on that configured interval. Do I interpret correctly that you want your policy to pass for hosts that have that package installed, and also pass for hosts that have a hostname that does not include "penguin"? If so, I'd probably do this: SELECT * FROM deb_packages WHERE name LIKE 'REDACTED_DEB_NAME...' AND status='install ok installed' LIMIT 1 UNION SELECT 1 FROM system_info WHERE hostname NOT LIKE '%penguin%'; ;

@Kathy Satterlee i will check that out today