[*] Can't find "%proc.exe_ino" in output file

[ChinaBluecat]

When I run this script, I can get %proc.exe_ino in result normally '''bash sudo sysdig "evt.type in ('read', 'write') and proc.exe_ino!=0" -p "%proc.exe_ino" -j ''' Result: '''bash {"proc.exe_ino":138584166} {"proc.exe_ino":138584166} {"proc.exe_ino":138584166} {"proc.exe_ino":138584166} {"proc.exe_ino":138584166} ...... '''

But when I export them using the "-w" argument and try to load them from the output file, I get an empty result. '''bash sudo sysdig "evt.type in ('read', 'write') and proc.exe_ino!=0" -p "%proc.exe_ino" -w [output_path]

sudo sysdig -r [output_path] -p "%proc.exe_ino" -j '''

But it seems that other keys can be found in output file '''bash sudo sysdig -r [output_path] -p "%evt.type, %evt.info" ''' Result: '''bash {"evt.info":"res=0 ","evt.type":"epoll_wait"} {"evt.info":"maxevents=1024 ","evt.type":"epoll_wait"} {"evt.info":"next=0 pgft_maj=0 pgft_min=4411 vm_size=1055528 vm_rss=27548 vm_swap=0 ","evt.type":"switch"} {"evt.info":"","evt.type":"clock_nanosleep"} {"evt.info":"fd=17() ","evt.type":"recvmsg"} {"evt.info":"res=-11(EAGAIN) size=0 data=NULL tuple=NULL msgcontrol=NULL ","evt.type":"recvmsg"} {"evt.info":"fd=17() ","evt.type":"recvmsg"} {"evt.info":"res=-11(EAGAIN) size=0 data=NULL tuple=NULL msgcontrol=NULL ","evt.type":"recvmsg"} {"evt.info":"fds=17:u3 timeout=0 ","evt.type":"poll"} {"evt.info":"res=0 fds= ","evt.type":"poll"} '''

[therealbobo]

Hey @ChinaBluecat! That's for sure a problem of https://github.com/falcosecurity/libs. You can open an issue there :)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.