The approach is very good. However, from all these processes I am interested only in the ones that end with the whoami. So I would like to find a way to end up with as below:

C:\WINDOWS\system32\services.exe - >C:\WINDOWS\PSEXESVC.EXE ->\"cmd\" -> whoami excluding the rest.

| makeresults 
| eval _raw="User,host,parent_process_id,parent_process,process_id,process,count
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1
NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1
NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1
NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1" 
| multikv forceheader=1 
| table User,host,parent_process_id,parent_process,process_id,process,count 
| sort parent_process_id 
| eval processes=mvappend(parent_process,process) 
| dedup parent_process
| stats list(processes) as processes 
| eval processes=mvdedup(processes)
| eval processes=mvjoin(processes," -> ")

| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10" 
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1) 
| table ParentProcess Process
`comment("this is your sample")`
| sort - ParentProcess Process
| streamstats count(eval(match(ParentProcess,"Process4") OR match(Process,"Process4"))) as session
| where session > 0
| fields - session

It works because the field name is this.
It will not be useful if it is an actual log.

Hi, how about this?

| makeresults 
| eval mydata="Process1,Process2 Process2,Process3 Process3,Process4 Process5,Process6 Process6,Process7 Process8,Process9 Process7,Process10"
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval ParentProcess=mvindex(mydata,0) 
| eval Process=mvindex(mydata,1)
| table ParentProcess Process
| where match(ParentProcess, "Process4") OR match(Process, "Process4") 
| head 3

Basically I need to find a way when I receive such logs to be able to track the full chain of the process.

User host parent_process_id parent_process process_id process count
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10136 whoami 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 10540 "AdobeExpiryCheck.exe" 1
NT AUTHORITY\SYSTEM Laptop 11808 "cmd" 6764 hostname 1
NT AUTHORITY\SYSTEM Laptop 8100 C:\WINDOWS\PSEXESVC.EXE 11808 "cmd" 1
NT AUTHORITY\SYSTEM Laptop 816 C:\WINDOWS\system32\services.exe 8100 C:\WINDOWS\PSEXESVC.EXE 1

In this example I would like to find the below.

C:\WINDOWS\system32\services.exe->C:\WINDOWS\PSEXESVC.EXE->"cmd"->whoami

Basically I would like some how to check the Process4 and then to check backwards Process3-Process2-Process1.

Basically I would like to find the full tree of the processes when I am selecting the Process4 .

which is ParentProcess?

The Process 1 is the parent process of Process 2
The Process 2 is the parent process of Process 3
The Process 3 is the parent process of Process 4

So in the above example I would like to find away to get the full chain from process 4 to process 1.

Have you tried my second query?

Yes exactly this one.