Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please add regular expression support for filtering #241

Open
pavel-odintsov opened this issue Sep 9, 2014 · 6 comments
Open

Please add regular expression support for filtering #241

pavel-odintsov opened this issue Sep 9, 2014 · 6 comments
Labels
feature-request pinned

Comments

@pavel-odintsov
Copy link
Contributor

Hello!

In many cases for filtering some events (like reading or writing for all files in folder /var/lib/mysql/base_named/* ) use regular expressions but now I should generate sysdig rules with bash and got this nightmare:

sysdig "evt.type=read and (fd.name=/vz/root/1202/dev/null or fd.name=/vz/root/1203/dev/null or fd.name=/vz/root/1204/dev/null or fd.name=/vz/root/1205/dev/null or fd.name=/vz/root/1207/dev/null or fd.name=/vz/root/1210/dev/null or fd.name=/vz/root/1212/dev/null or fd.name=/vz/root/1214/dev/null or fd.name=/vz/root/1215/dev/null or fd.name=/vz/root/1217/dev/null or fd.name=/vz/root/1218/dev/null or fd.name=/vz/root/1219/dev/null or fd.name=/vz/root/1220/dev/null or fd.name=/vz/root/1221/dev/null or fd.name=/vz/root/1222/dev/null or fd.name=/vz/root/1224/dev/null or fd.name=/vz/root/1225/dev/null or fd.name=/vz/root/1226/dev/null or fd.name=/vz/root/1227/dev/null or fd.name=/vz/root/1230/dev/null or fd.name=/vz/root/1232/dev/null or fd.name=/vz/root/1233/dev/null or fd.name=/vz/root/11111/dev/null or fd.name=/vz/root/19471/dev/null or fd.name=/vz/root/19486/dev/null or fd.name=/vz/root/39045/dev/null or fd.name=/vz/root/39048/dev/null or fd.name=/vz/root/39066/dev/null or fd.name=/vz/root/55124/dev/null or fd.name=/vz/root/55384/dev/null or fd.name=/vz/root/59082/dev/null or fd.name=/vz/root/63424/dev/null or fd.name=/vz/root/1010101010/dev/null or fd.name=/vz/root/1010101011/dev/null)"

But with regular expressions it will looks fine:

sysdig "evt.type=read and fd.name=~#/vz/root/\d+/dev/null#"

Thank you!
@ldegio
Copy link
Contributor

ldegio commented Sep 10, 2014

How about a filter like this:
fd.name contains /vz/root/ and fd.name contains dev/null

Would it generate too many false positives?

@pavel-odintsov
Copy link
Contributor Author

It will be nice!

@unixist
Copy link

unixist commented Mar 8, 2016

+1

@henridf
Copy link
Contributor

henridf commented Mar 8, 2016

globbing could also be useful - far less flexible of course, but also with lesser performance implications.

in the example above you might do something like fd.name = /vz/root/*/dev/null

@objectiveinteraction
Copy link

Hey does sysdig support this fd.name contains /afile.*/ ?

@github-actions
Copy link

github-actions bot commented Mar 2, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@henridf @unixist @pavel-odintsov @ldegio @therealbobo @objectiveinteraction