Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi,
Asked the question in <#C0F5EQH28|process-auditing> but had no luck with this issue. I am trying to include parent process path (*ppath*) in the output of *process_events* table. The query below works great via osqueryi, but *ppath* field is always empty in scheduled query. The <https://github.com/osquery/osquery/issues/7352|issue> is in the *events_optimize* flag that limits the time column. Is there a way to get the parent process path in a scheduled query? Thanks!
```SELECT time, pid, path, parent AS ppid, (SELECT path FROM process_events AS pp WHERE pp.pid=p.parent) ppath FROM process_events AS p WHERE syscall='execve';```


Hi osquery experts,
Could you please help me with this question? There must be some workaround to get parent process name in process_events table, but I can't make it work.