By default, Events feed displays events from the entire environment. However, the feed can be configured to only show events from a particular scope within that environment. The scope of the event feeds can be configured by labels.
Labels refer to a set of meaningful key-value pair (whitelist) that is defined by Sysdig Monitor. As a user, you have the ability to configure the whitelist. For example, if you are using ECS and have custom container labels you have defined, you have the ability to configure the whitelist and add the labels you need. Once done, all the infrastructure events related to containers are enriched with these labels and the event scope will display associated metadata.
For more information on scoping, refer to the Grouping, Scoping, and Segmenting Metrics documentation.
Configure Event Scope
To configure the events feed scope:
Eventsmodule, click the
Open the top-level drop-down menu.
Select the desired label, either by scrolling through the list, or by typing the name/partial name into the search bar, and selecting it.
Operatordrop-down menu, and select the relevant option.
Valuedrop-down menu, and select the relevant options.
Optional: Open the next level drop-down menu, and repeat steps 3-5.
Optional: Repeat step 6 for each additional layer of scope required.
Individual layers of the scope can be removed if necessary, by clicking the
Delete(x) icon beside the relevant layer.
Applybutton to save the new scope.
Filter Events by Scope
Events are by default filtered by scope in Dashboards and Explore to show the most relevant events associated with the selected scope. This capability enables you to quickly narrow down the potential problems in the area under purview. However, you can turn the filtering off and see Events from the complete scope. To do so in Explore:
On the Explore module, click the Options (three dots) icon and select Events.
The Events panel appears. you can do the following:
Determine whether to show events or not.
Determine the maximum number of events to be displayed in the Explore table.
Filter events by
Type: The types of events supported are custom events and alerts. See Event Types for more information.
State: The types of events supported are triggered and resolved. See Severity and Status for more information.
Severity: The supported severity levels are all severity types, high severity, and both high and medium levels. See Severity and Status for more information.
Resolution: The supported resolutions are both acknowledged and unacknowledged, acknowledged only, and unacknowledged only. See Severity and Status for more information.
Determine whether to show events by scope. Use the toggle button to turn off filtering by scope.
If you disable this option, the Explore table will show feed for all the events in the infrastructure, including those that are irrelevant to the selected scope. Leave the Filter events by selected scope option enabled to see only the relevant events.
Similarly, you can turn off filtering events by scope in Dashboards.
Reset the Environment Scope
To reset the scope to the entire environment:
From the Events module, click the
Applybutton to save the changes.