Sysdig Secure
Run-time security for containers
Learn more
MeetupJoin our first open source user conference

Container-Native Monitoring

Check it Out

Sysdig Quick Reference Guide

Note: this content is mirrored from the sysdig github repository. Please go there to edit or contribute to the sysdig wiki.

Table of Contents

Command Format

sysdig [option]... [filter]

Command Options

-b, --print-base64
Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to handle textual data (i.e., terminal or json).

-c chiselname chiselargs, --chisel=chiselname chiselargs
run the specified chisel. If the chisel requires arguments, they must be specified in the command line after the name.

-cl, --list-chisels
List the available chisels. Looks for chisels in ., ./chisels, ~/chisels and /usr/share/sysdig/chisels.

-dv, --displayflt
Make the given filter a display one Setting this option causes the events to be filtered after being parsed by the state system. Events are normally filtered before being analyzed, which is more efficient, but can cause state (e.g. FD names) to be lost

-h, --help
Print this page

-j, --json
Emit output as json, data buffer encoding will depend from the print format selected.

-l, --list
List the fields that can be used for filtering and output formatting. Use -lv to get additional information for each field.

-L, --list-events
List the events that the engine supports

-n num, --numevents=num
Stop capturing after events

-p output_format, --print=output_format
Specify the format to be used when printing the events. See the examples section below for more info.

-q, --quiet
Don't print events on the screen. Useful when dumping to disk.

-r readfile, --read=readfile
Read the events from .

-S, --summary
print the event summary (i.e. the list of the top events) when the capture ends.

-s len, --snaplen=len
Capture the first bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.

-t timetype, --timetype=timetype
Change the way event time is diplayed. Accepted values are h for human-readable string, a for abosulte timestamp from epoch, r for relative time from the beginning of the capture, and d for delta between event enter and exit.

-v, --verbose
Verbose output

-w writefile, --write=writefile
Write the captured events to writefile.

Basic Command List

Capture all the events from the live system and print them to screen


Capture all the events from the live system and save them to disk

sysdig -qw dumpfile.scap

Read events from a file and print them to screen

sysdig -r dumpfile.scap

Print all the open system calls invoked by cat

sysdig and evt.type=open

Print the name of the files opened by cat

./sysdig -p"" and evt.type=open

List the available chisels

./sysdig -cl

Run the spy_ip chisel for the IP address:

sysdig –c spy_ip

Output Format

By default, sysdig prints the information for each captured event on a single line, with the following format:

<evt.time> <evt.cpu> <> <thread.tid> <evt.dir> <evt.type> <evt.args>

where: evt.time is the event timestamp evt.cpu is the CPU number where the event was captured is the name of the process that generated the event thread.tid id the TID that generated the event, which corresponds to the PID for single thread processes evt.dir is the event direction, > for enter events and < for exit events evt.type is the name of the event, e.g. 'open' or 'read' evt.args is the list of event arguments.

The output format can be customized with the -p switch, using any of the fields listed by 'sysdig -l'.


sysdig filters are specified at the end of the command line. The simplest filter is a simple field-value check:

$ sysdig

The list of available fields can be obtained with 'sysdig -l'. Checks can use one of these comparison operators: =, !=, <, <=, >, >= and contains. e.g.

$ sysdig contains /etc

Multiple checks can be combined through parentheses and the following boolean operators: and, or, not. e.g.

$ sysdig "not( contains /proc or contains /dev)"


Sysdig’s chisels are little scripts that analyze the sysdig event stream to perform useful actions. To get the list of available chisels, type

$ sysdig –cl

For each chisel, you get the description and the list of arguments it expects. To run one of the chisels, you use the –c flag, e.g.:

$ sysdig –c topfiles_bytes

If a chisel needs arguments, you specify them after the chisel name:

$ sysdig –c spy_ip

Chiesls can be combined with filters:

$ sysdig -c topfiles_bytes "not contains /dev"

Container-Native Monitoring

Check it Out