#fleet I think I have found a defect in Feet version 4.22.1, where hosts associated with a disabled pack can still get the queries in the disabled packs and schedule them to run. I see the issue only with the host association, not labels.

Hi @Gudina! I'm trying to replicate this ton both 4.22.1 and 4.27.0. Can you give me a detailed rundown of what steps to take to replicate the issue and what data you're looking at?

Hi @Kathy Satterlee; thank you for looking into this! Here are some high-level steps for reproducing the issue: • Create a query • Associate the query with the pack • Set pack target: pick individual hosts from the list • Enable the pack • Disable the pack • Check the osquery log on the hosts and see if you still see log entries similar to

scheduler.cpp:120] Executing scheduled query

Hi! Left an instance running over the weekend and will be checking in on it shortly.

Thank you @Kathy Satterlee! Are you seeing a similar result for Feet v 4.22.1?

I actually dug into the database and can see that they are still showing up in scheduled queries. Getting a ticket submitted now.

Excellent, thank you @Kathy Satterlee !

Hi @Kathy Satterlee, do you have a workaround for the issue? As a workaround, I wondered if I could remove rows in

scheduled_queries

associated with the disabled packs?

I'd back up the packs with

fleetctl get packs --yaml

and remove the disabled queries from your packs for now.

Ok, thank you for confirming that and adding the backup step for the workaround.