How to get the whole event from the results sysdig created?

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers

http://www.sysdig.com/

Other

7.76k stars 728 forks source link

How to get the whole event from the results sysdig created? #1898

Closed kunzeng-ch closed 1 year ago

kunzeng-ch commented 2 years ago

How can I get a complete event from the data collected by sysdig? It is from the beginning of the event to the end of the event, which may include multiple operations such as read, write, open, close, etc.

jasondellaluce commented 2 years ago

Hey @kunzeng-ch, not sure what you mean. In the logic of sysdig, each syscall execution (read, write, open, etc... like you mentioned) represent individual events. The tools processes all these events one by one and is able to filter and print them out by extracting information from them. What do you want to achieve here? Something like a concatenation or correlation of events?

kunzeng-ch commented 2 years ago

What I mean is that I want to track the complete events of a process, if there are multiple threads, then I need to find out the relationship between multiple threads. For example, the 2158996 thread was transferred to the 2247779 thread through the switch, but I found that there was no thread with tid 2247779 in the data I collected. Looking at the official documentation, the first parameter of switch refers to pid. I collected the pid of the process, but I still could not find the corresponding pid. May I ask what the 2247779 of this switch refers to?

time:17:45:01.252312223 proc_name:flock thread_tid:2158996 evt_type:switch evt_args:next=2247779 pgft_maj=0 pgft_min=120 vm_size=11692 vm_rss=760 vm_swap=0 time:17:45:01.252323527 proc_name:flock thread_tid:2158996 evt_type:mmap evt_args:addr=0 length=122 prot=1(PROT_READ) flags=1(MAP_SHARED) fd=3 offset=0

jasondellaluce commented 2 years ago

From my understanding, 2247779 should be the next pid to be scheduled.

kunzeng-ch commented 2 years ago

But the first parameter of switch is tid not pid. For example: time:17:45:01.200746271 proc_name:containerd thread_tid:521369 evt_type:switch evt_args:next=2353(containerd) pgft_maj=0 pgft_min=24 vm_size=2379508 vm_rss=21128 vm_swap=5944 time:17:45:01.200755624 proc_name:containerd thread_tid:2353 evt_type:clock_gettime evt_args:

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.