Classic/Endpoints/packs/performance-metrics.conf

{
  "platform": "windows,darwin",
  "queries": {
    "per_query_perf": {
      "query": "SELECT name, interval, executions, output_size, wall_time, (user_time/executions) AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory FROM osquery_schedule;",
      "interval": 1800,
      "description": "Records the CPU time and memory usage for each individual query. Helpful for identifying queries that may impact performance.",
      "snapshot": true
    },
    "runtime_perf": {
      "query": "SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov, processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid;",
      "interval": 1800,
      "description": "Track the amount of CPU time used by osquery.",
      "snapshot": true
    },
    "endpoint_security_tool_perf": {
      "query": "SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time FROM processes WHERE name='endpoint_security_tool');",
      "interval": 1800,
      "description": "Track the percentage of total CPU time utilized by $endpoint_security_tool",
      "snapshot": true
    },
    "backup_tool_perf": {
      "query": "SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS backuptool_time FROM processes WHERE name='backup_tool');",
      "interval": 1800,
      "description": "Track the percentage of total CPU time utilized by $backup_tool",
      "snapshot": true
    }
  }
}