Event Scope

By default, Events feed displays events from the entire environment. However, the feed can be configured to only show events from a particular scope within that environment. The scope of the event feeds can be configured by labels.

Labels refer to a set of meaningful key-value pair (whitelist) that is defined by Sysdig Monitor. As a user, you have the ability to configure the whitelist. For example, if you are using ECS and have custom container labels you have defined, you have the ability to configure the whitelist and add the labels you need. Once done, all the infrastructure events related to containers are enriched with these labels and the event scope will display associated metadata.

For more information on scoping, refer to the Using Labels documentation.

Configure Event Scope

To configure the events feed scope:

  1. From the Events page, click the Edit Events Scope.

  2. Expand the drop-down menu.

  3. Select the desired label, either by scrolling through the list, or by typing the name/partial name into the search bar, and selecting it.

  4. Open the Operator drop-down menu, and select the relevant option.

  5. Open the Value drop-down menu, and select the relevant options.

  6. Optional: Open the next level drop-down menu, and repeat steps 3-5.

  7. Optional: Repeat step 6 for each additional layer of scope required.

    Individual layers of the scope can be removed if necessary, by clicking the Delete (x) icon beside the relevant layer.

  8. Click the Apply button to save the new scope.

Filter Events by Scope

Events are by default filtered by scope in Dashboards and Explore to show the most relevant events associated with the selected scope. This capability enables you to quickly narrow down the potential problems in the area under purview. However, you can turn the filtering off and see Events from the complete scope. To do so in Explore:

  1. From the Dashboard menu, select a dashboard of your choice.

  2. Click the Options (ellipsis icon) and select Events Display.

    The Events panel appears. you can do the following:

    • Determine whether to show events or not.

    • Filter events by

      • Scope: Determine whether to show events by scope. Supported scopes are Team Scope and Dashboard Scope. Select an optionto see only the relevant events.
      • Severity: The supported severity levels are all severity types, high severity, and both high and medium levels. See Severity and Status for more information.
      • Types: The types of events supported are custom events and alerts. See Event Types for more information.
      • Status: The supported statuses include both status of the event as well as the resolution of the event. See Severity and Status for more information.

  3. Click Save.

Reset the Environment Scope

To reset the scope to the entire environment:

  1. From the Events page, click the Edit Events Scope.

  2. Click Clear All.

  3. Click the Apply to save the changes.