diff --git a/hubblestack_nebula_v2/hubblestack_nebula_queries.yaml b/hubblestack_nebula_v2/hubblestack_nebula_queries.yaml
index 4d775cb..424fd70 100644
--- a/hubblestack_nebula_v2/hubblestack_nebula_queries.yaml
+++ b/hubblestack_nebula_v2/hubblestack_nebula_queries.yaml
@@ -1,6 +1,6 @@
 fifteen_min:
   running_procs:
-    query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.pgroup AS process_group, p.state AS process_state, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.user_time, p.system_time, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace, p.parent AS parent_process_id, pp.name AS parent_process, g.groupname AS 'group', g.gid AS group_id, u.username AS user, u.uid AS user_id, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=p.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=p.pid GROUP BY pe.pid) AS environment FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path LEFT JOIN time AS t WHERE p.parent IS NOT 2 AND (process NOTNULL OR p.parent NOTNULL);
+    query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.pgroup AS process_group, p.state AS process_state, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.user_time, p.system_time, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace, p.parent AS parent_process_id, pp.name AS parent_process, CASE WHEN count(pc.pid)>0 THEN '__JSONIFY__'||json_group_array(pc.pid) ELSE NULL END AS child_processes, g.groupname AS 'group', g.gid AS group_id, u.username AS user, u.uid AS user_id, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=p.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=p.pid GROUP BY pe.pid) AS environment FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN processes AS pc ON pc.parent==p.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path LEFT JOIN time AS t WHERE p.parent IS NOT 2 AND (process NOTNULL OR p.parent NOTNULL) GROUP BY p.pid;
   established_outbound:
     query: SELECT t.unix_time AS query_time, pos.state AS connection_state, CASE pos.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE pos.family END AS family, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, h.directory AS directory, pos.local_address AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, pos.remote_address AS dest_connection_ip, p.name AS process, p.pid AS process_id, p.parent AS parent_process_id, pp.name AS parent_process, p.path AS file_path, f.size AS file_size, p.cmdline AS cmdline, u.uid AS user_id, u.username AS user, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END AS transport, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path LEFT JOIN file AS f ON f.path=p.path WHERE NOT pos.remote_address='' AND NOT pos.remote_address='::' AND NOT pos.remote_address='::1' AND NOT pos.remote_address='0.0.0.0' AND NOT pos.remote_address='127.0.0.1' AND (pos.local_port,pos.protocol) NOT IN (SELECT lp.port, lp.protocol FROM listening_ports AS lp);
   listening_procs: