Display events in event groups rather than list all events #99
Labels
Comments
marwinski
added
kind/enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Implement means to group similar events into one and display only event groups to the user.
Why is this needed:
As a user I would like to see which events are raised by the workload deployed into my cluster. Often, there are hundreds or thousands of evens and it is very difficult to see what is really happening in the cluster.
We have seen cases with several thousands of events that could be grouped into roughly 5 groups. It is obvious that a list of thousands of events is not useful where a list of 5 is.
The rule that has been implemented is extremely simple: group events where the rule, proc.cmdline, and proc.name fields are identical. This has worked well for some scenarios but did not work well for others (e.g. a loop invoking ping on different targets).
This rule also does not take in account debug sessions (different events from one single container/host) or events raised because of an actual attack. Those events should be grouped as well for better readability and post processing.
The text was updated successfully, but these errors were encountered: