diff --git a/README.md b/README.md
index df83424..c3faf49 100644
--- a/README.md
+++ b/README.md
@@ -38,43 +38,30 @@ userspace recipient to give you the full six degrees of freedom.
 Examples
 --------
 
-### Syscall Tracing
+Here are some one-liner examples to show the kinds of questions that
+`ply` can help answer.
 
-**`read()` return size, summarized as a power-of-2 histogram:**
+**What is the distribution of the returned sizes from `read(2)`s to the VFS?**
 ```
-ply 'kretprobe:SyS_read { @["size"] = quantize(retval); }'
+ply 'kretprobe:vfs_read { @["size"] = quantize(retval); }'
 ```
 
-**`read()` request size, as a power-of-2 histogram, for reads > 1 kB, grouped by pid:**
+**Which processes are receiving errors when reading from the VFS?**
 ```
-ply 'kprobe:SyS_read / arg2 > 1024 / { @[pid] = quantize(arg2); }'
+ply 'kretprobe:vfs_read if (retval < 0) { @[pid, comm, retval] = count(); }'
 ```
 
-**`open()` Print process name, pid and the file that was opened:**
+**Which files are being opened, by who?**
 ```
-ply 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, pid, str(arg1)); }'
+ply 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, uid, str(arg1)); }'
 ```
 
-**Count all system calls by syscall type:**
+**When sending packets, where are we coming from?**
 ```
-ply 'kprobe:SyS_* { @[caller] = count(); }'
+ply 'kprobe:dev_queue_xmit { @[stack] = count(); }'
 ```
 
-**Count all system calls by process name and pid:**
-```
-ply 'kprobe:SyS_* { @[comm, pid] = count(); }'
-```
-
-### Stack Traces
-
-**Frequency count all different paths to `schedule`:**
-```
-ply 'kprobe:schedule { @[stack] = count(); }'
-```
-
-### Tracepoints
-
-**Monitor all incoming TCP resets:**
+**From which hosts and ports are we receiving TCP resets?**
 ```
 ply 'tracepoint:tcp/tcp_receive_reset {
 	printf("saddr:%v port:%v->%v\n",
@@ -82,6 +69,7 @@ ply 'tracepoint:tcp/tcp_receive_reset {
 }'
 ```
 
+
 Build and Installation
 ----------------------