makeProcessIdsUnique
Makes process IDs unique for the source and destination columns that generate a new parent process ID and new child process ID avoiding collisions.
PathFromRoot operator does not have logic on what to do when there are collisions in the IDs; it goes on a first-come, first-serve basis.
Currently, pathFromRoot operator will produce for U and process one of the following paths:
U > B
V > B
B > G
From the above-mentioned paths, we need to pick one of them. makeProcessIdsUnique operator will pick the first path based on the specified ordering on the other hand pathFromRoot operator does not respect the ordering but, it picks the first one. Refer to the Example section below.
Operator Usage in Easy Mode
Click + on the parent node.
Enter the Make Process IDs Unique operator in the search field and select the operator from the Results to open the operator form.
In the Input Table drop-down, enter or select the table containing the data to run this operator on.
In the Partition by Column drop-down, enter or select a column name to partition by.
In the Order by Column drop-down, enter or select the column name to order within each partition.
In the Parent Process ID drop-down, enter or select the source column.
In the Child Process ID drop-down, enter or select the destination column.
Click Run to view the result.
Click Save to add the operator to the playbook.
Click Cancel to discard the operator form.
Usage Details
LQL Command
makeProcessIdsUnique(makeProcessIdsUniqueParentTable, $.partitionByColumn, $.orderByColumn, $.parentProcessId, $.childProcessId)
Parameters
Input Table: select the input table
Partition by Column: Partition by column name
Order by Column: Names of columns (comma separated string) to order table
Source: Name of the source column
Destination: Name of the destination column
Example
Let's assume that the input table contains the following connections from parent ID to a child ID.
Order by Column | Partition by Column | ParentProcessId | childProcessId |
---|---|---|---|
1 | Ubuntu | U | B |
2 | Ubuntu | V | B |
3 | Windows | B | G |
Input table will contain the columns: partitionByColumn, orderByColumn, parentProcessId, childProcessId
makeProcessIdsUnique(makeProcessIdsUniqueParentTable, $.partitionByColumn, $.orderByColumn, $.parentProcessId, $.childProcessId)
// This will create columns for partitionByColumn, orderByColumn, parentProcessId, childProcessId
// you can pass new__parentProcessId and new__childProcessId to pathFromRoot operator
The output table will contain the following columns when you click Run in Easy Mode.
Order by Column | Partition by Column | Parent ID | Child ID | New Parent Process ID | New Child Process ID |
---|---|---|---|---|---|
1 | Ubuntu | U | B | U_0 | B_0 |
2 | Ubuntu | V | B | V_0 | B_1 |
3 | Windows | B | G | B_0 | G_0 |
Output table will contain the columns: partitionByColumn, orderByColumn, parentProcessId, childProcessId, new_parentProcessId, new_childProcessId
scala LQL
makeProcessIdsUnique(makeProcessIdsUniqueParentTable, $.partitionByColumn, $.orderByColumn, $.parentProcessId, $.childProcessId)
// This will create columns for partitionByColumn, orderByColumn, parentProcessId, childProcessId, new__parentProcessId, new__childProcessId
// you can pass new__parentProcessId and new__childProcessId to pathFromRoot operator