This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Missing appname in lket output
- From: David Boreham <david_list at boreham dot org>
- To: Li Guanglei <guanglei at cn dot ibm dot com>
- Cc: SystemTap <systemtap at sources dot redhat dot com>
- Date: Wed, 08 Nov 2006 18:51:48 -0700
- Subject: Re: Missing appname in lket output
- References: <45526739.8090605@boreham.org> <45527A50.7030009@cn.ibm.com>
- Reply-to: david_list at boreham dot org
Li Guanglei wrote:
After LKET starts, process_snapshot() will be called, but
addevent.process.fork and addevent.process.execve won't be turned on
by default. So if you have any new process to be forked/execved after
LKET starts up, you will lost the appname info. This is why you see
the appname listed as NULL.
<slaps forehead>
I did wonder about that but I figured 'no, it couldn't be that simple'.
But surely we need this documented, otherwise anyone using LKET will
have the same question ? I'd be happy to update the man page if that'd
help.
I ever thought of turning on fork/execve events by default, but
finally I left it to the users to decide whether they want to capture
such events. Do you think we should turn on fork/execve capture by
default since they have a negligible overhead?
Well I did assume that those probes were added by default, since I could
see tht they were required by b2a. I would say yes, with perhaps a flag
to disable them for situations where enabling them would not be appropriate.
I don't remember that LKET ever wrote event names into lket.out. Only
group id and hook id is written. Can you paste here a snippet of the
output?
Sure, I'm reading the man page here :
http://sourceware.org/systemtap/man5/lket-b2a.1.html
(cvs has the same version). I see output like this:
10.24319 APPNAME: sshd PID:7203 CPU:3 HOOKGRP:2 HOOKID:2 syscall:write,
that appears to show the event name : "syscall:write". But when I run
b2a I get output like this:
73.232758 APPNAME: mime.browse PID:19697 CPU:0 HOOKGRP:9 HOOKID:7
fd:9,buff_addr:-1208643584,count:3773,
After a few hours working with these files I do know that 9,7 is 'write'
but wouldn't it be
handy to emit the event name in the file ? (actually there's not much
need IMHO for the
group and hook ids because they're not human-readable anyway).
Couple of reasons for postprocessing in MySQL:
Yeah I don't disagree, I'm just reporting my user experience.
Actually I'm supposedly a database expert , but I mainly work
with their internal implementation rather than actually _using_ them ;)
This example will generate top 10 most frequently syscalls
Examples would be good. I can probably generate some.
The first thing I need to do is make a script that invokes
mysql in an automated fashion, avoiding all that show databases; use
xxxxx; stuff.
It should just pick the most recent one.