we noticed that in the code the timestamp (largest_partition_key) is initialized to 0. When the query return no entities (by the fact that we are analyzing a limited time range without any security event), the timestamp is not updated and remain equal to 0.
What we have done, as I workaround, is comment on the following part in the code:
[row 369 - save_checkpoint(checkpoint_dir, checkpoint_file_name, json.dumps(jsonMarker))], in order to avoid that a timestamp=0 will be saved as a checkpoint. The checkpoint is updated only when the query collects some events and return the last timestamp read.
... View more