Event Scope (Legacy)

The Event Feed has been updated to enable users to both filter and search events using a single search query.

By default, the Events Feed displays events from the total environment. However, you can configure the feed to only show events within a particular scope of that environment. The scope can be configured by labels.

Labels refer to a set of meaningful key-value pairs (whitelist) that are defined by Sysdig Monitor. As a user, you can configure the whitelist. For example, if you are using Elastic Container Service (ECS) and have defined custom container labels, you can configure the whitelist to add the labels you need. Once done, all the infrastructure events related to containers will be enriched with these labels and display associated metadata.

For more information on scoping, refer to the Using Labels documentation.

Configure Event Scope

To configure the events feed scope:

  1. From the Events page, click the Edit Events Scope.

  2. Expand the drop-down menu.

  3. Select the desired label, either by scrolling through the list, or by typing the name/partial name into the search bar, and selecting it.

  4. Open the Operator drop-down menu, and select the relevant option.

  5. Open the Value drop-down menu, and select the relevant options.

  6. Optional: Open the next level drop-down menu, and repeat steps 3-5.

  7. Optional: Repeat step 6 for each additional layer of scope required.

    Individual layers of the scope can be removed if necessary, by clicking the Delete (x) icon beside the relevant layer.

  8. Click the Apply button to save the new scope.

Filter Events by Scope

Events are by default filtered by scope in Dashboards and Explore to show the most relevant events associated with the selected scope. This capability enables you to quickly narrow down the potential problems in the area under purview. However, you can turn the filtering off and see Events from the complete scope. To do so in Explore:

  1. From the Dashboard menu, select a dashboard of your choice.

  2. Click the Options (ellipsis icon) and select Events Display.

    The Events panel appears. you can do the following:

    • Determine whether to show events or not.

    • Filter events by

      • Scope: Determine whether to show events by scope. Supported scopes are Team Scope and Dashboard Scope. Select an optionto see only the relevant events.
      • Severity: The supported severity levels are all severity types, high severity, and both high and medium levels. See Severity and Status for more information.
      • Types: The types of events supported are custom events and alerts. See Event Types for more information.
      • Status: The supported statuses include triggered, resolved, acknowledged, and unacknowledged. See Severity and Status for more information.

  3. Click Save.

Reset the Environment Scope

To reset the scope to the entire environment:

  1. From the Events page, click the Edit Events Scope.

  2. Click Clear All.

  3. Click the Apply to save the changes.