sysdig icon indicating copy to clipboard operation
sysdig copied to clipboard

Published 20 hours ago verified publisher icon draios

Please add regular expression support for filtering

Open pavel-odintsov opened this issue 11 years ago • 6 comments

Hello!

In many cases for filtering some events (like reading or writing for all files in folder /var/lib/mysql/base_named/* ) use regular expressions but now I should generate sysdig rules with bash and got this nightmare:

sysdig "evt.type=read and (fd.name=/vz/root/1202/dev/null or fd.name=/vz/root/1203/dev/null or fd.name=/vz/root/1204/dev/null or fd.name=/vz/root/1205/dev/null or fd.name=/vz/root/1207/dev/null or fd.name=/vz/root/1210/dev/null or fd.name=/vz/root/1212/dev/null or fd.name=/vz/root/1214/dev/null or fd.name=/vz/root/1215/dev/null or fd.name=/vz/root/1217/dev/null or fd.name=/vz/root/1218/dev/null or fd.name=/vz/root/1219/dev/null or fd.name=/vz/root/1220/dev/null or fd.name=/vz/root/1221/dev/null or fd.name=/vz/root/1222/dev/null or fd.name=/vz/root/1224/dev/null or fd.name=/vz/root/1225/dev/null or fd.name=/vz/root/1226/dev/null or fd.name=/vz/root/1227/dev/null or fd.name=/vz/root/1230/dev/null or fd.name=/vz/root/1232/dev/null or fd.name=/vz/root/1233/dev/null or fd.name=/vz/root/11111/dev/null or fd.name=/vz/root/19471/dev/null or fd.name=/vz/root/19486/dev/null or fd.name=/vz/root/39045/dev/null or fd.name=/vz/root/39048/dev/null or fd.name=/vz/root/39066/dev/null or fd.name=/vz/root/55124/dev/null or fd.name=/vz/root/55384/dev/null or fd.name=/vz/root/59082/dev/null or fd.name=/vz/root/63424/dev/null or fd.name=/vz/root/1010101010/dev/null or fd.name=/vz/root/1010101011/dev/null)"

But with regular expressions it will looks fine:

sysdig "evt.type=read and fd.name=~#/vz/root/\d+/dev/null#"

Thank you!

pavel-odintsov avatar Sep 09 '14 12:09 pavel-odintsov

How about a filter like this: fd.name contains /vz/root/ and fd.name contains dev/null

Would it generate too many false positives?

ldegio avatar Sep 10 '14 17:09 ldegio

It will be nice!

pavel-odintsov avatar Sep 10 '14 17:09 pavel-odintsov

+1

unixist avatar Mar 08 '16 19:03 unixist

globbing could also be useful - far less flexible of course, but also with lesser performance implications.

in the example above you might do something like fd.name = /vz/root/*/dev/null

henridf avatar Mar 08 '16 19:03 henridf

Hey does sysdig support this fd.name contains /afile.*/ ?

objectiveinteraction avatar Apr 07 '19 18:04 objectiveinteraction

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Mar 02 '23 02:03 github-actions[bot]