Filter and Search Events

Sysdig collects events from multiple data sources. Several filtering options are available to pinpoint the most relevant events. Beyond the basic filters for event type, status, and severity, you can filter by scope and with free text search. Use filters to refine the event feed by eliminating unnecessary information and focusing on events that are relevant to a given context.

Scope-Based Filtering

The scope of an event are the labels that define the environment or context in which an event has occurred. Dimensions of the scope can include the cluster, container image, and IP address. If recurrent Container died events are observed, it may be useful to filter the event feed by host in order to investigate if the host hardware is responsible for the container failures.


Free Text Search

Free text search facilitates searching through various event attributes, including ID, name, description, and scope values. A free text search issued for Pod will return any events with Pod in the name, description, or scope value. Combine scope-based filtering with free text for the most precise results. The following queries pull any instance of Back-off pulling image in the web-shop namespace.


Search Fields

The search terms are used in a fulltext search across the following event fields:

  • ID
  • Name
  • Description
  • Scope Label Values
  • Tag Values

Additionally, for Alert Events, the following fields are included in the full text search:

  • Alert Condition
  • Alert State
  • Alert Threshold
  • Alert Type
  • Alert Notification Title

Search Syntax

Event search supports the following operators:

  • + signifies AND operation (all the terms have to be in the document)
  • | signifies OR operation
  • - negates a single term
  • " wraps a number of terms to signify a phrase for searching
  • * at the end of a term signifies a prefix query
  • ( and ) signify precedence

The default operator binding together the search terms is AND. Implications of this are shown below in the Examples Searches.

Example Searches

Container Killed: Match the events containing all search terms (Container AND Killed) because the default operator is AND.

Container + Killed: Match the events containing all search terms (Container AND Killed).

Container | Killed: Match the events containing any of the search terms (Container OR Killed).

-Container: Match the events that do not contain the search term (NOT Container).

"Container Killed": Match the events containing the exact phrase "Container Killed".

-"Container Killed": Match the events that do not contain the exact phrase "Container Killed".

Cont*: Match the events containing any term starting with Cont.

"Container + (Killed | Starting)": Match the events containing either the two terms Container and Killed or the two terms Container and Starting

Container -Killed: Match the events that contain the term Container AND do not contain the term Killed. The default AND operator applies here.

Container | -Killed: Match the events that contain the term Container OR do not contain the term Killed. The query overrides the default AND operator by using an explicit |.