One possible major issue you could have is that process IDs get reused all the time – so even if you know the ID of what spawned your current process, you may not actually be able to find the process that spawned that process
If you’re OK with that, and you have a pretty definite time window within which you think all of this has happened…something like this should work:
index=ndx sourcetype=srctp process="calc.exe" process_id=* parent_process_id=*
| join parent_process_id
[ | search index=ndx sourcetype=srctp process=* process_id=* parent_process_id=*
| stats count by process_id process parent_process_id
| rename parent_process_id as grandparent_process_id process as spawn_process
| rename process_id as parent_process_id
| fields - count ]
| table process process_id parent_process_id spawn_process grandparent_process_id
Normally, you want to avoid the use of join as much as possible (it’s expensive to run, and there are some limitations that may be unacceptable … depending on your environment and use cases). But sometimes it’s the best way to get what you’re looking for.
And it may be faster to invert the search (run the SPL that finds the grandparent_process_id outside, and the one that finds your specific process_id and parent_process_id as the inner search).
from User warren – Stack Overflow https://stackoverflow.com/questions/69979427/splunk-grandparent-from-process-and-parent-process/69991673#69991673
via IFTTT