fix(userspace/falco): n_evts does not containd the dropped events count

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2025-06-28 07:37:32 +00:00 · 2021-03-19 15:45:00 +00:00 · 2021-03-19 15:45:00 +00:00 · 199a1c22c6
commit 199a1c22c6
parent 5380fe5308
2 changed files with 4 additions and 7 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -80,7 +80,7 @@ buffered_outputs: false
 #
 # The rate at which log/alert messages are emitted is governed by a
 # token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of one message.
+# with a burst of one message (by default).
 #
 # The messages are emitted when the percentage of dropped system calls
 # with respect the number of events in the last second
--- a/userspace/falco/event_drops.cpp
+++ b/userspace/falco/event_drops.cpp
@ -87,14 +87,11 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
 			delta.n_drops++;
 		}

-		if(m_simulate_drops || (delta.n_drops > 0 && delta.n_evts > 0))
+		if(delta.n_drops > 0)
 		{
 			double ratio = delta.n_drops;
-			// Number of events can possiblity be zero here only when simulating drops
-			// In which case, ratio holds an infinite value
-			// Assuming IEC 559 (aka IEEE 754 - std::numeric_limits<T>::is_iec559) is true
-			// Anyways, this is always greater than zero when not simulating drops
-			ratio /= delta.n_evts;
+			// Assuming the number of event does not contains the dropped ones
+			ratio /= delta.n_drops + delta.n_evts;

 			// When simulating drops the threshold is always zero
 			if(ratio > m_threshold)