Is there a way to convert epoch directly in a query? (I was hoping I could do select from_unixtime(time), but this appears not to work - no such function?)

@Tor Houghton, you can, here is an article I wrote on various epoch conversions: https://blog.kolide.com/8-sql-snippets-to-make-you-an-osquery-datetime-expert-a7e418087915#f14e

Super! Now I can do SELECT uid,datetime(time,'unixepoch'),path,cmdline FROM bpf_process_events ORDER BY time DESC LIMIT 100;