three new filter fields: evt.deltatime evt.deltatime.s and evt.deltat…

…ime.ns + -tD flag to show time from previous event

userspace/libsinsp/filterchecks.cpp

@@ -1447,6 +1447,9 @@ const filtercheck_field_info sinsp_filter_check_event_fields[] =
 	{PT_RELTIME, EPF_NONE, PF_DEC, "evt.latency", "delta between an exit event and the correspondent enter event."},
 	{PT_RELTIME, EPF_NONE, PF_DEC, "evt.latency.s", "integer part of the event latency delta."},
 	{PT_RELTIME, EPF_NONE, PF_10_PADDED_DEC, "evt.latency.ns", "fractional part of the event latency delta."},
+	{PT_RELTIME, EPF_NONE, PF_DEC, "evt.deltatime", "delta between this event and the previous event."},
+	{PT_RELTIME, EPF_NONE, PF_DEC, "evt.deltatime.s", "integer part of the delta between this event and the previous event."},
+	{PT_RELTIME, EPF_NONE, PF_10_PADDED_DEC, "evt.deltatime.ns", "fractional part of the delta between this event and the previous event."},
 	{PT_CHARBUF, EPF_PRINT_ONLY, PF_NA, "evt.dir", "event direction can be either '>' for enter events or '<' for exit events."},
 	{PT_CHARBUF, EPF_NONE, PF_NA, "evt.type", "For system call events, this is the name of the system call (e.g. 'open')."},
 	{PT_INT16, EPF_NONE, PF_DEC, "evt.cpu", "number of the CPU where this event happened."},
@@ -1475,6 +1478,7 @@ sinsp_filter_check_event::sinsp_filter_check_event()
 	m_info.m_name = "evt";
 	m_info.m_fields = sinsp_filter_check_event_fields;
 	m_info.m_nfiedls = sizeof(sinsp_filter_check_event_fields) / sizeof(sinsp_filter_check_event_fields[0]);
+	m_u64val = 0;
 }
 
 sinsp_filter_check* sinsp_filter_check_event::allocate_new()
@@ -1752,6 +1756,9 @@ Json::Value sinsp_filter_check_event::extract_as_js(sinsp_evt *evt, OUT uint32_t
 	case TYPE_LATENCY:
 	case TYPE_LATENCY_S:
 	case TYPE_LATENCY_NS:
+	case TYPE_DELTA:
+	case TYPE_DELTA_S:
+	case TYPE_DELTA_NS:
 		return (Json::Value::Int64)*(uint64_t*)extract(evt, len);
 	case TYPE_COUNT:
 		m_u32val = 1;
@@ -1869,6 +1876,37 @@ uint8_t* sinsp_filter_check_event::extract(sinsp_evt *evt, OUT uint32_t* len)
 
 			return (uint8_t*)&m_u64val;
 		}
+	case TYPE_DELTA:
+	case TYPE_DELTA_S:
+	case TYPE_DELTA_NS:
+		{
+			if(m_u64val == 0)
+			{
+				m_u64val = evt->get_ts();
+				m_tsdelta = 0;
+			}
+			else
+			{
+				uint64_t tts = evt->get_ts();
+
+				if(m_field_id == TYPE_DELTA)
+				{
+					m_tsdelta = tts - m_u64val;
+				}
+				else if(m_field_id == TYPE_DELTA_S)
+				{
+					m_tsdelta = (tts - m_u64val) / ONE_SECOND_IN_NS;
+				}
+				else if(m_field_id == TYPE_DELTA_NS)
+				{
+					m_tsdelta = (tts - m_u64val) % ONE_SECOND_IN_NS;
+				}
+
+				m_u64val = tts;
+			}
+
+			return (uint8_t*)&m_tsdelta;
+		}
 	case TYPE_DIR:
 		if(PPME_IS_ENTER(evt->get_type()))
 		{

userspace/libsinsp/filterchecks.h

@@ -350,25 +350,28 @@ class sinsp_filter_check_event : public sinsp_filter_check
 		TYPE_LATENCY = 10,
 		TYPE_LATENCY_S = 11,
 		TYPE_LATENCY_NS = 12,
-		TYPE_DIR = 13,
-		TYPE_TYPE = 14,
-		TYPE_CPU = 15,
-		TYPE_ARGS = 16,
-		TYPE_ARGSTR = 17,
-		TYPE_ARGRAW = 18,
-		TYPE_INFO = 19,
-		TYPE_BUFFER = 20,
-		TYPE_RESSTR = 21,
-		TYPE_RESRAW = 22,
-		TYPE_FAILED = 23,
-		TYPE_ISIO = 24,
-		TYPE_ISIO_READ = 25,
-		TYPE_ISIO_WRITE = 26,
-		TYPE_IODIR = 27,
-		TYPE_ISWAIT = 28,
-		TYPE_ISSYSLOG = 29,
-		TYPE_COUNT = 30,
-		TYPE_AROUND = 31,
+		TYPE_DELTA = 13,
+		TYPE_DELTA_S = 14,
+		TYPE_DELTA_NS = 15,
+		TYPE_DIR = 16,
+		TYPE_TYPE = 17,
+		TYPE_CPU = 18,
+		TYPE_ARGS = 19,
+		TYPE_ARGSTR = 20,
+		TYPE_ARGRAW = 21,
+		TYPE_INFO = 22,
+		TYPE_BUFFER = 23,
+		TYPE_RESSTR = 24,
+		TYPE_RESRAW = 25,
+		TYPE_FAILED = 26,
+		TYPE_ISIO = 27,
+		TYPE_ISIO_READ = 28,
+		TYPE_ISIO_WRITE = 29,
+		TYPE_IODIR = 30,
+		TYPE_ISWAIT = 31,
+		TYPE_ISSYSLOG = 32,
+		TYPE_COUNT = 33,
+		TYPE_AROUND = 34,
 	};
 
 	sinsp_filter_check_event();

userspace/sysdig/man/sysdig.8

@@ -318,8 +318,8 @@ Use this option with caution, it can generate huge trace files.
 Change the way event time is diplayed.
 Accepted values are \f[B]h\f[] for human\-readable string, \f[B]a\f[]
 for absolute timestamp from epoch, \f[B]r\f[] for relative time from the
-beginning of the capture, and \f[B]d\f[] for delta between event enter
-and exit.
+beginning of the capture, \f[B]d\f[] for delta between event enter and
+exit, and \f[B]D\f[] for delta from the previous event.
 .PP
 \f[B]\-v\f[], \f[B]\-\-verbose\f[]
 .PD 0

userspace/sysdig/man/sysdig.md

@@ -137,7 +137,7 @@ OPTIONS
   Capture the first _len_ bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.
 
 **-t** _timetype_, **--timetype**=_timetype_  
-  Change the way event time is diplayed. Accepted values are **h** for human-readable string, **a** for absolute timestamp from epoch, **r** for relative time from the beginning of the capture, and **d** for delta between event enter and exit.
+  Change the way event time is diplayed. Accepted values are **h** for human-readable string, **a** for absolute timestamp from epoch, **r** for relative time from the beginning of the capture, **d** for delta between event enter and exit, and **D** for delta from the previous event.
 
 **-v**, **--verbose**  
   Verbose output.

userspace/sysdig/sysdig.cpp

@@ -165,7 +165,8 @@ static void usage()
 "                    Change the way event time is diplayed. Accepted values are\n"
 "                    h for human-readable string, a for absolute timestamp from\n"
 "                    epoch, r for relative time from the beginning of the\n"
-"                    capture, and d for delta between event enter and exit.\n"
+"                    capture, d for delta between event enter and exit, and\n"
+"                    D for delta from the previous event.\n"
 " -v, --verbose      Verbose output.\n"
 " --version          Print version number.\n"
 " -w <writefile>, --write=<writefile>\n"
@@ -945,6 +946,16 @@ sysdig_init_res sysdig_init(int argc, char **argv)
 					{
 						timefmt = "%evt.latency.s.%evt.latency.ns";
 					}
+					else if(tms == "D")
+					{
+						timefmt = "%evt.deltatime.s.%evt.deltatime.ns";
+					}
+					else
+					{
+						fprintf(stderr, "invalid modifier for flag -t\n");
+						delete inspector;
+						return sysdig_init_res(EXIT_FAILURE);
+					}
 				}
 				break;
 			case 'v':
@@ -973,7 +984,7 @@ sysdig_init_res sysdig_init(int argc, char **argv)
 				{
 					fprintf(stderr, "you cannot specify more than one output format\n");
 					delete inspector;
-					return sysdig_init_res(EXIT_SUCCESS);
+					return sysdig_init_res(EXIT_FAILURE);
 				}
 
 				event_buffer_format = sinsp_evt::PF_HEX;
@@ -983,7 +994,7 @@ sysdig_init_res sysdig_init(int argc, char **argv)
 				{
 					fprintf(stderr, "you cannot specify more than one output format\n");
 					delete inspector;
-					return sysdig_init_res(EXIT_SUCCESS);
+					return sysdig_init_res(EXIT_FAILURE);
 				}
 
 				event_buffer_format = sinsp_evt::PF_HEXASCII;