Allow multiple filters #627

Putting whitespace changes in a separate commit.

Add support for an additional set of individual filters that can run alongside the main filter set in sinsp::set_filter(). Each additional filter comes with a list of event types for which the filter should run. sinsp::add_evttype_filter adds an event type filter to the inspector. It provides a list of event types and a sinsp_filter pointer. The list of event types can be empty, implying the filter is a catchall filter and should run for all event types. This does not replace the main function set_filter()--the idea is that you can specify a global filter as well as per-event type filters. Both will run for all events. An array m_filter_by_evttype maps from event type to a list of sinsp_filter pointers. Each list at index i holds the filters that should run for events with type i. A filter can run for multiple event types, so the sinsp_filter pointers can appear in multiple lists. There's a separate list m_catchall_evttype_filters that contains filters that should run for all event types. The individual filter pointers are also held in a list m_evttype_filters so they can be cleaned up on close(). A new method run_filters_on_evt() handles the details of running the main filter, catchall filters, and the individual filters. It finds the filters related to the event's type, and runs those filters. Falco uses the lua callbacks in lua_parser{_api} to populate filters as the lua code parses the rule's condition, so also modify lua_parser to add a optional flag to get_parser that steals the m_filter object and creates a new one. Falco calls get_parser for each rule's condition, which allows it to create a sinsp_filter object for each rule.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow multiple filters #627

Allow multiple filters #627

Commits on Jul 14, 2016