ContextQMD
Back to Beats

host_processes

x-pack/osquerybeat/ext/osquery-extension/docs/views/host_processes.md

9.4.02.6 KB
Original Source

% This file is generated! See ext/osquery-extension/cmd/gentables.

host_processes

(Deprecated.) Backward-compatible view over elastic_host_processes; use elastic_host_processes instead.

Platforms

  • ✅ Linux
  • ❌ macOS
  • ❌ Windows

Description

Deprecated. This view is deprecated in favor of the elastic_host_processes table. It exists only for backward compatibility (SELECT * FROM elastic_host_processes). Use elastic_host_processes directly in new use cases.

Schema

ColumnTypeDescription
pidBIGINTProcess (or thread) ID
nameTEXTThe process path or shorthand argv[0]
pathTEXTPath to executed binary
cmdlineTEXTComplete argv (command line arguments)
stateTEXTProcess state (R=running, S=sleeping, D=disk sleep, Z=zombie, T=stopped)
cwdTEXTProcess current working directory
rootTEXTProcess virtual root directory
uidBIGINTUnsigned user ID (real UID)
gidBIGINTUnsigned group ID (real GID)
euidBIGINTUnsigned effective user ID
egidBIGINTUnsigned effective group ID
suidBIGINTUnsigned saved user ID
sgidBIGINTUnsigned saved group ID
on_diskINTEGERThe process path exists; yes=1, no=0, unknown=-1
wired_sizeBIGINTBytes of unpageable memory (always 0 on Linux)
resident_sizeBIGINTBytes of private memory used by process (RSS)
total_sizeBIGINTTotal virtual memory size
user_timeBIGINTCPU time in milliseconds spent in user space
system_timeBIGINTCPU time in milliseconds spent in kernel space
disk_bytes_readBIGINTBytes read from disk
disk_bytes_writtenBIGINTBytes written to disk
start_timeBIGINTProcess start time in seconds since Epoch, or -1 if error
parentBIGINTProcess parent's PID (PPID)
pgroupBIGINTProcess group ID
threadsINTEGERNumber of threads used by process
niceINTEGERProcess nice level (-20 to 20, default 0)

Required Tables

This view requires the following tables to be available:

  • elastic_host_processes

View Definition

sql
CREATE VIEW host_processes AS
SELECT * FROM elastic_host_processes;

Examples

Query host processes (same as elastic_host_processes)

sql
SELECT * FROM host_processes;

Notes

  • Deprecated in favor of elastic_host_processes; use the table directly for new queries.
  • elastic_host_processes
  • elastic_host_users