{"id":47643,"date":"2021-11-16T15:22:21","date_gmt":"2021-11-16T15:22:21","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=47643"},"modified":"2021-11-16T15:22:21","modified_gmt":"2021-11-16T15:22:21","slug":"answer-by-warren-for-splunk-grandparent-from-process-and-parent-process","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=47643","title":{"rendered":"Answer by warren for Splunk &#8211; &#8220;grandparent from process and parent process&#8221;"},"content":{"rendered":"<p>One possible <em>major<\/em> issue you could have is that process IDs get reused <em>all the time<\/em> &#8211; so even if you know the ID of what spawned your current process, you <em>may not<\/em> actually be able to find the process that spawned <em>that<\/em> process<\/p>\n<p>If you&#8217;re OK with that, and you have a pretty definite time window within which you think all of this has happened&#8230;something like this should work:<\/p>\n<pre><code>index=ndx sourcetype=srctp process=&quot;calc.exe&quot; process_id=* parent_process_id=*\n| join parent_process_id\n    [ | search index=ndx sourcetype=srctp process=* process_id=* parent_process_id=*\n    | stats count by process_id process parent_process_id\n    | rename parent_process_id as grandparent_process_id process as spawn_process\n    | rename process_id as parent_process_id\n    | fields - count ]\n| table process process_id parent_process_id spawn_process grandparent_process_id \n<\/code><\/pre>\n<p><em>Normally<\/em>, you want to avoid the use of <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/join\" rel=\"nofollow noreferrer\"><code>join<\/code><\/a> as much as possible (it&#8217;s expensive to run, and there are some limitations that may be unacceptable &#8230; depending on your environment and use cases). But sometimes it&#8217;s the best way to get what you&#8217;re looking for.<\/p>\n<p>And it <em>may<\/em> be faster to invert the search (run the SPL that finds the <code>grandparent_process_id<\/code> outside, and the one that finds your specific <code>process_id<\/code> and <code>parent_process_id<\/code> as the inner search).<\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/69979427\/splunk-grandparent-from-process-and-parent-process\/69991673#69991673<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One possible major issue you could have is that process IDs get reused all the time &#8211; so even if you know the ID of what spawned your current process, you may not actually be able to find the process that spawned that process If you&#8217;re OK with that, and you have a pretty definite &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=47643\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Splunk &#8211; &#8220;grandparent from process and parent process&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-47643","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/47643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=47643"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/47643\/revisions"}],"predecessor-version":[{"id":47644,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/47643\/revisions\/47644"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=47643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=47643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=47643"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=47643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}