execsnoop: long timestamps unintentionally merge columns
martinvonwittich opened this issue · comments
I was trying to debug an issue by running execsnoop-bpfcc -t | tee execsnoop.log
, and later on using awk
to follow the process chains (ie. search for a specific process, get its PPID, search for the parent, get its PPID, ...). This works as long as the timestamps are < 1000s, because here there is whitespace between the first two columns:
971.495 sh 3220534 3220523 0 /bin/sh -c curl -fSs http://localhost:8008/health || exit 1
Unfortunately, as soon as the timestamps grow >1000s, the separating whitespace is gone:
1001.659sh 3220634 3220624 0 /bin/sh -c curl -fSs http://localhost:8008/health || exit 1
This makes it hard to parse the log with tools like awk
, because it changes the offsets of all further columns.
From what I can tell from the code, all values are printed with a fixed width, without explicit whitespace between the columns:
Lines 298 to 309 in f798668
The expectation is apparently that the columns will never take up the complete width, so that the remaining whitespace separates the columns.
I think someone might've just misunderstood the width for the printf %f
type in the %-8.3f
format string here - maybe the expectation was to reserve 8 characters for the integer part, and an additional 4 characters for the fractional part? As the 8 characters are used for the whole number and the whitespace between the columns, only 8 - 4 (fractional part) - 1 (whitespace) = 3 characters remain for the integer part.
I would suggest:
- either add explicit whitespace between the columns, regardless of the column width. If the columns weren't fixed width and just separated by
\t
, users could pipe the output throughcolumn -t
to get fixed-width formatting. - or increase the
%f
width to 8 + 4 + 1 = 13. That way, the problem would only occur whenexecsnoop
had been running continuously for >3 years.