empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

FAQ.md:Add new entry related to default UI sorting (#9004)

Browse Source 
Add question regarding the use of an ORDER BY clause to explain why that
sort may not match what the UI shows as results are received from hosts.

# Checklist for submitter: n/a

Co-authored-by: Chris McGillicuddy <108031970+chris-mcgillicuddy@users.noreply.github.com>
Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>
This commit is contained in:
Reagan Evans 2023-01-23 15:12:12 -06:00 committed by GitHub
parent cfd24c5af7
commit 5947bd74f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/Using-Fleet/FAQ.md
View File

@ -16,6 +16,7 @@
- [What are my options for storing the osquery logs?](#what-are-my-options-for-storing-the-osquery-logs)
- [Troubleshooting](#troubleshooting)
- [Why does the same query come back faster sometimes?](#why-does-the-same-query-come-back-faster-sometimes)
- [Why don't my query results appear sorted based upon the ORDER BY clause I specified in my SQL query?](#why-dont-my-query-results-appear-sorted-based-upon-the-ORDER-BY-clause-I-specified-in-my-SQL-query)
- [What happens if I have a query on a team policy and I also have it scheduled to run separately?](#what-happens-if-i-have-a-query-on-a-team-policy-and-i-also-have-it-scheduled-to-run-separately)
- [Why arent my live queries being logged?](#why-arent-my-live-queries-being-logged)
- [Why does my query work locally with osquery but not in Fleet?](#why-does-my-query-work-locally-with-osquery-but-not-in-fleet)
@ -143,6 +144,10 @@ Don't worry, this behavior is expected; it's part of how osquery works.
Fleet and osquery work together by communicating with heartbeats. Depending on how close the next heartbeat is, Fleet might return results a few seconds faster or slower.
>By the way, to get around a phenomena called the "thundering herd problem", these heartbeats aren't exactly the same number of seconds apart each time. osquery implements a "splay", a few ± milliseconds that are added to or subtracted from the heartbeat interval to prevent these thundering herds. This helps prevent situations where many thousands of devices might unnecessarily attempt to communicate with the Fleet server at exactly the same time. (If you've ever used Socket.io, a similar phenomena can occur with that tool's automatic WebSocket reconnects.)
## Why don't my query results appear sorted based upon the ORDER BY clause I specified in my SQL query?
When a query executes in Fleet, the query is sent to all hosts at the same time, but results are returned from hosts at different times. In Fleet, results are shown as soon as Fleet receives a response from a host. Fleet does not sort the overall results across all hosts (the sort UI toggle is used for this). Instead, Fleet prioritizes speed when displaying the results. This means that if you use an `ORDER BY` clause selection criteria in a query, the results may not initially appear with your desired order, however, the sort UI toggle allows you to sort by ascending or descending order for any of the displayed columns.
## What happens if I have a query on a team policy and I also have it scheduled to run separately?
Both queries will run as scheduled on applicable hosts. If there are any hosts that both the scheduled run and the policy apply to, they will be queried twice.