Note: this content is mirrored from the sysdig github repository. Please go there to edit or contribute to the sysdig wiki.
Table of Contents
sysdig [option]... [filter]
Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to handle textual data (i.e., terminal or json).
-c chiselname chiselargs, --chisel=chiselname chiselargs
run the specified chisel. If the chisel requires arguments, they must be specified in the command line after the name.
List the available chisels. Looks for chisels in ., ./chisels, ~/chisels and /usr/share/sysdig/chisels.
Make the given filter a display one Setting this option causes the events to be filtered after being parsed by the state system. Events are normally filtered before being analyzed, which is more efficient, but can cause state (e.g. FD names) to be lost
Print this page
Emit output as json, data buffer encoding will depend from the print format selected.
List the fields that can be used for filtering and output formatting. Use -lv to get additional information for each field.
List the events that the engine supports
-n num, --numevents=num
Stop capturing after events
-p output_format, --print=output_format
Specify the format to be used when printing the events. See the examples section below for more info.
Don't print events on the screen. Useful when dumping to disk.
-r readfile, --read=readfile
Read the events from .
print the event summary (i.e. the list of the top events) when the capture ends.
-s len, --snaplen=len
Capture the first bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.
-t timetype, --timetype=timetype
Change the way event time is diplayed. Accepted values are h for human-readable string, a for abosulte timestamp from epoch, r for relative time from the beginning of the capture, and d for delta between event enter and exit.
-w writefile, --write=writefile
Write the captured events to writefile.
Capture all the events from the live system and print them to screen
Capture all the events from the live system and save them to disk
sysdig -qw dumpfile.scap
Read events from a file and print them to screen
sysdig -r dumpfile.scap
Print all the open system calls invoked by cat
sysdig proc.name=cat and evt.type=open
Print the name of the files opened by cat
./sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open
List the available chisels
Run the spy_ip chisel for the 192.168.1.157 IP address:
sysdig –c spy_ip 192.168.1.157
By default, sysdig prints the information for each captured event on a single line, with the following format:
<evt.time> <evt.cpu> <proc.name> <thread.tid> <evt.dir> <evt.type> <evt.args>
where: evt.time is the event timestamp evt.cpu is the CPU number where the event was captured proc.name is the name of the process that generated the event thread.tid id the TID that generated the event, which corresponds to the PID for single thread processes evt.dir is the event direction, > for enter events and < for exit events evt.type is the name of the event, e.g. 'open' or 'read' evt.args is the list of event arguments.
The output format can be customized with the -p switch, using any of the fields listed by 'sysdig -l'.
sysdig filters are specified at the end of the command line. The simplest filter is a simple field-value check:
$ sysdig proc.name=cat
The list of available fields can be obtained with 'sysdig -l'. Checks can use one of these comparison operators: =, !=, <, <=, >, >= and contains. e.g.
$ sysdig fd.name contains /etc
Multiple checks can be combined through parentheses and the following boolean operators: and, or, not. e.g.
$ sysdig "not(fd.name contains /proc or fd.name contains /dev)"
Sysdig’s chisels are little scripts that analyze the sysdig event stream to perform useful actions. To get the list of available chisels, type
$ sysdig –cl
For each chisel, you get the description and the list of arguments it expects. To run one of the chisels, you use the –c flag, e.g.:
$ sysdig –c topfiles_bytes
If a chisel needs arguments, you specify them after the chisel name:
$ sysdig –c spy_ip 192.168.1.157
Chiesls can be combined with filters:
$ sysdig -c topfiles_bytes "not fd.name contains /dev"