I recently published app that might work for your situation. https://splunkbase.splunk.com/app/5721/ App just implements a pstree command. You can filter for trees with specific processes after calling the pstree command. index=wineventlog host=TEST EventCode=4688 NOT ProcessID IN (18104,1176,4468,9924)
| eval parent=ProcessID." - ".ParentProcessName
| eval child=NewProcessID." - ".NewProcessName | pstree child=child parent=parent
| table tree | search tree=*<pid process of interest> This command generally handles a single host fine but there is a recursion limit in Splunk that sometimes causes command to fail.
... View more