Process name filter got something wrong

[opliyal3]

I use this query to filter process name

index=xxxx source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 
| rex field=ParentImage "\x5c(?<parent_process_name>[^\x5c]+)$"
| rex field=Image "\x5c(?<ProcessName>[^\x5c]+)$"
| eval parent = parent_process_name." (".parent_process_id.")"
| eval child = process_name." (".process_id.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
| pstree child=child parent=parent detail=detail spaces=50
| search tree=*$process_name$*
| table tree

and got this return

but the original query

index=xxxx source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"  
| rex field=ParentImage "\x5c(?<parent_process_name>[^\x5c]+)$"
| rex field=Image "\x5c(?<ProcessName>[^\x5c]+)$"
| eval parent = parent_process_name." (".parent_process_id.")"
| eval child = process_name." (".process_id.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
| pstree child=child parent=parent detail=detail spaces=50
| table tree

will be like it

How to do that, If I want to filter by process name, process id, command Thanks

[murchisd]

I cannot recreate this issue. There is no actual filter function in pstree command, and the only difference between the two searches is should be after pstree has already returned the data, so seems like a Splunk issue.

I have seen issues with Splunk's garbage collection and the way Splunk distributes commands before. Could you try running the search after you table the tree? If that doesn't work and you want to send the search.log I can try to see if I can find any issues.