Skip to content

feat: add new metrics #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add new metrics #22

wants to merge 5 commits into from
+183 −33

Conversation

edoardomich
Copy link

Enhance the coverage by including additional metrics introduced in version 7.0.x series, as well as new ones added in the recently released version 8.0.0. Additionally, I propose adding a flag to retrieve global metrics that represent the aggregated totals of the per-thread counters.

The tests were conducted using simple container images with Suricata v6.0.20, v7.0.11, and the newly released v8.0.0

@edoardomich
feat: add additional metrics
f7636ea 
Add additional metrics for version 7.0.x and the upcoming 8.0.0 and correct small typos and compatability problems with the old 6.0.20
@edoardomich
feat: add on demand Total metrics
6389b42 
Add also the option to expose overall total metrics defined at the top-level as the sum of all the per-thread ones, avoiding more computation on the receiving side
@edoardomich
test: correct TestDump604Netmap
90db565 
aligned with the total number of new metrics
awelzel
awelzel requested changes Jul 19, 2025
View reviewed changes
Copy link
Collaborator

@awelzel awelzel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @edoardomich , thanks for your contribution. Mind checking out the comments and see if you agree with them and adapt the changes?

If you could add a suricata dump-counters output into testdata for 8.0.x with the configuration you used to develop this, that'd be awesome! Maybe also add a smoke test for the flow_end merics that seemed to be non-functional. The tests aren't the best, but hopefully sufficient for adding another smoke test.

Thanks!

main.go Outdated
@@ -83,7 +83,7 @@ var (
newPerThreadGaugeMetric("capture", "afpacket_busy_loop_avg", "", "busy_loop_avg"),
// The following 4 are put into a single metrics afpacket_polls_total
// where the result is a labels.
// newPerThreadCounterMetric("capture", "afpacket_poll_total", "", "polls"),
newPerThreadCounterMetric("capture", "afpacket_poll_total", "", "polls"),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mind reverting this one? The idea here was that summing the afpacket_poll_results_total counters should result in the total. If this is not the case anymore, is perThreadAFPacketPollResultEntries missing an entry for a different result?

This is from the current suricata dev version and it seems signal, timeout, data, error capture polls.

    "capture": {
      "kernel_packets": 18574,
      "kernel_drops": 0,
      "errors": 0,
      "afpacket": {
        "busy_loop_avg": 0,
        "polls": 18422,
        "poll_signal": 0,
        "poll_timeout": 16464,
        "poll_data": 1958,
        "poll_errors": 0,
        "send_errors": 0
      }

main.go Outdated
// From: .thread.decoder.event.afpacket
// New in 8.0.0: d78f2c9a4e2b59f44daeddff098915084493d08d
perThreadDecoderEventAFPacketMetrics = []metricInfo{
newPerThreadCounterMetric("decoder_event", "afpacket_trunc_pkt", "", "trunc_pkt").Optional(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
newPerThreadCounterMetric("decoder_event", "afpacket_trunc_pkt", "", "trunc_pkt").Optional(),
newPerThreadCounterMetric("decoder_event", "afpacket_truncated_packets_total", "", "trunc_pkt"),

Mostly to align with the other decoder packet counter metrics above (udp_packets_total) and dropping Optional() as it seems if afpacket is within decoder.event, can expect trunc_pkt to be included.

Aside, seems a bit unfortunate the metric is not part of the capture.afpacket object as the event is raised in source-af-packet.c, but not sure it's worth an upstream ticket to move or also include it there.

@jlucovsky / @jasonish, thoughts? Nothing urgent or to do, just some feedback / food for thought, for the afpacket.trunc_pkt stat.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok for the rename. I add Optional() to be compatible with previous versions (like version 7), since this metric was only included for version 8.0.0.

main.go
@@ -255,6 +314,12 @@ var (
newPerThreadCounterMetric("detect", "alerts_suppressed_total", "", "alerts_suppressed").Optional(),
}

// From .thread.file_store
perThreadFileStoreMetrics = []metricInfo{
newPerThreadCounterMetric("filestore", "open_files_max_hit", "", "open_files_max_hit").Optional(),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running a default configuration, I only see this in dump-counters:

        "file_store": {
          "open_files": 0
        },

Mind posting a section of your dump-counters that includes the filestore metrics?

The max_hit should probably also be a guage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awelzel awelzel awelzel requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edoardomich @awelzel