• t

    Tarek Talaat

    4 weeks ago
    quick question, I have a query scheduled with differential every 1 min. The result of the query are "PID, cmdline" but why it sends 1 new log every 60 seconds, shouldn't be the same everytime and only receive the first one ?
  • Kathy Satterlee

    Kathy Satterlee

    4 weeks ago
    Can you use the REST API to grab the schedule's information and post here with anything you're concerned about sharing redacted?
  • And, just so I know I've asked, are you looking at your status logs, or result logs?
  • t

    Tarek Talaat

    4 weeks ago
    I look at result logs
  • I monitor the result logs and it keeps receiving every 60 seconds
  • Kathy Satterlee

    Kathy Satterlee

    4 weeks ago
    I figured, but had to make sure I checked!
  • t

    Tarek Talaat

    4 weeks ago
    message has been deleted
  • this is the config for my schedule.
  • and this is the query I'm using select ( SELECT pr.parent from process_events as pr where pr.cmdline like "stuff" ) as ppid, pe.cmdline from process_events as pe where pe.pid = ppid limit 1
  • Kathy Satterlee

    Kathy Satterlee

    4 weeks ago
    Just want to be certain we're looking at the right schedule there... It shows a 900 second frequency. Is there any chance you have multiple schedules set up for the same query?
  • t

    Tarek Talaat

    4 weeks ago
    I made it 900 seconds because it was keep sending the same result when I had it 60 seconds. But, no I don't have another schedule for the same query
  • Kathy Satterlee

    Kathy Satterlee

    4 weeks ago
    Got it. Let me look into this a little bit and I'll get back to you. Since it's a little late in the day, I may not have more information for you until tomorrow.
  • t

    Tarek Talaat

    4 weeks ago
    Sure, thank you.
  • Rachel Perkins

    Rachel Perkins

    4 weeks ago
    Hey Tarek, sometimes differential responds with a single add or remove line, can you try Differentials (ignoring removals)?https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs
  • t

    Tarek Talaat

    4 weeks ago
    I can try, thank you
  • Same result. I keep getting result every 1 or 2 minutes depend on how I set up the time. Same log is being sent every 2 minutes. The log has only PID, and cmdLine, nothing else. Not sure how this is treated as a new log every time.
  • Rachel Perkins

    Rachel Perkins

    3 weeks ago
    Hmm, what type of information are you trying to receive with running a differential query on an events table?
  • t

    Tarek Talaat

    3 weeks ago
    I'm getting a process id (PID) and cmdLine from it.
  • so I assume it should be the same PID and same cmdLine every time it runs, and I need to receive only one copy of it, as long as it's the same PID and cmdLine.
  • Kathy Satterlee

    Kathy Satterlee

    3 weeks ago
    If you look at the data in the logs, what kind of changes are you seeing?
  • s

    sharvil

    3 weeks ago
    AKAIK
    differentials
    don’t apply to evented tables (
    process_events
    ) in this case — they behave the same way as snapshot
  • t

    Tarek Talaat

    3 weeks ago
    oh interesting
  • didn't know that.
  • so in that case, how long should I have my query scheduled for so the previous event is not returned. In another words, how long does it take for the event to be flushed from the local machine ?
  • s

    sharvil

    3 weeks ago
    Generally, for
    _events
    tables, by default events are buffered locally for 24 hours…but that buffered is cleared when selecting from that table..The query you are using above might complicate this a bit, since there is a subquery to the same
    process_events
    and there is a
    like
    constraint on the table — can you try to explain what that query is trying to do, maybe there is a better way to structure that query..?
  • t

    Tarek Talaat

    3 weeks ago
    Hello @sharvii thanks for your reply. What I'm trying to do is finding a certain command "cmdLine" and get the parent file that executed this command. Please let me know if there is a better way of doing this. Assume a file called test.sh executed a command called "ifconfig", then I need to get the "test.sh" file by finding the command it executed "ifconfig"