i am running a query to get airdrop details from mac but i am getting an error: query : SELECT * FROM unified_log where process=“sharingd” and category=“AirDrop” and message like “Start transaction to%“; error: distributed query is denylisted i see in older questions that it was resolved by updating but i already updated to latest fleet and still facing issues

That error means that your query is running too long/using too many resources for your osquery config. If you aren't worried about OSquery running using a bunch of resources you can set

--watchdog_level=-1

to disable limits

For any macOS device that has been used for longer than a few days, you can’t query the unified log via OSQuery with the default watchdog settings - there’s simply too many log entries to process within the limits. If disabling the limits is an option, you could do that (see Keith’s post above). Otherwise, all

unified_log

queries should have the

timestamp

greater-than-equal constraint specified to bound the search, e.g.

SELECT * FROM unified_log where process="sharingd" and category="AirDrop" and message like "Start transaction to%" and timestamp >= (SELECT unix_time-3600 FROM time);

to get the relevant log entries from the past hour (3600 seconds). Note that I think there’s a memory leak with the

unified_log

table, so even if your query succeeds, a subsequent query might get denylisted (as the watchdog doesn’t expect leaks after query execution). I’d do some testing first if you want to roll out a scheduled

unified_log

query.