Hi all, Trying to include parent process path (ppath) in the output of process_events table. The query below works great via osqueryi, but ppath field is always empty in scheduled query. The issue is in the events_optimize flag that limits the time column.

SELECT time, pid, path, parent AS ppid, (SELECT path FROM process_events AS pp WHERE pp.pid=p.parent) ppath FROM process_events AS p WHERE syscall='execve';

Does anybody know any workaround or fix to have ppath included? I would really appreciate any help 🙂