Hello, I'm trying to figure out how to get a username string from a _*process_events*_ without querying the users table at every execution. We're hitting performance issues with a user table holding a large number of entires.. sadly _*logged_in_users*_ does not appear to contain any id data. Anyone have any performance tips here ?

Hi Hamish, maybe one of the new tables that uses different process event subsystems would be helpful. But that depends on which platform you are querying. Is it Windows?

Using Linux.. centos

If it is a somewhat recent kernel, 5.4 or later, @alessandrogario has a PR with a new higher performance process events table https://github.com/osquery/osquery/pull/7773

We should add users and groups to that!