Use empty columns instead of zeroes when undefined in socket_events by zwass · Pull Request #8510 · osquery/osquery
I think it is easier to understand the results when the values that we don't know are set to empty/null rather than explicitly set to zero. I think that explicitly setting to zero might be a leftover from the time when osquery couldn't handle empty column values.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters