hello team, I encountered something that looks like a bug with bpf_socket_events. the ‘parent’ field is showing a process ID which is missing the first digit. Here is an example. Any clue? osquery> select pid,parent from bpf_socket_events where remote_address = ‘10.28.11.73’; [ {“parent”:“100965",“pid”:“2101011"} ] osquery> select pid,parent from processes where pid = ‘2101011’; [ {“parent”:“2100965",“pid”:“2101011"} ]

Thanks for the report, we'll look into it! 🙂