update(falco_metrics): rearrange evts and drops prometheus metrics

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
2025-08-30 21:25:06 +00:00 · 2024-09-11 06:00:09 +00:00 · 2024-09-11 06:00:09 +00:00 · 9669a4a0bb
commit 9669a4a0bb
parent 55069c8a0a
5 changed files with 64 additions and 15 deletions
--- a/unit_tests/engine/test_falco_utils.cpp
+++ b/unit_tests/engine/test_falco_utils.cpp
@ -73,12 +73,12 @@ TEST(FalcoUtils, parse_prometheus_interval)
 	ASSERT_EQ(falco::utils::parse_prometheus_interval("200"), 0UL);
 }

-TEST(FalcoUtils, sanitize_metric_name)
+TEST(FalcoUtils, sanitize_rule_name)
 {
-	ASSERT_EQ(falco::utils::sanitize_metric_name("Testing rule   2 (CVE-2244)"), "Testing_rule_2_CVE_2244");
-	ASSERT_EQ(falco::utils::sanitize_metric_name("Testing rule__:2)"), "Testing_rule_:2");
-	ASSERT_EQ(falco::utils::sanitize_metric_name("This@is_a$test rule123"), "This_is_a_test_rule123");
-	ASSERT_EQ(falco::utils::sanitize_metric_name("RULEwith:special#characters"), "RULEwith:special_characters");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("Testing rule   2 (CVE-2244)"), "Testing_rule_2_CVE_2244");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("Testing rule__:2)"), "Testing_rule_:2");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("This@is_a$test rule123"), "This_is_a_test_rule123");
+	ASSERT_EQ(falco::utils::sanitize_rule_name("RULEwith:special#characters"), "RULEwith:special_characters");
 }

 TEST(FalcoUtils, matches_wildcard)
--- a/userspace/engine/falco_utils.cpp
+++ b/userspace/engine/falco_utils.cpp
@ -151,7 +151,7 @@ std::string calculate_file_sha256sum(const std::string& filename)
 }
 #endif

-std::string sanitize_metric_name(const std::string& name)
+std::string sanitize_rule_name(const std::string& name)
 {
 	std::string sanitized_name = name;
 	RE2::GlobalReplace(&sanitized_name, "[^a-zA-Z0-9_:]", "_");
--- a/userspace/engine/falco_utils.h
+++ b/userspace/engine/falco_utils.h
@ -31,7 +31,7 @@ uint64_t parse_prometheus_interval(std::string interval_str);
 std::string calculate_file_sha256sum(const std::string& filename);
 #endif

-std::string sanitize_metric_name(const std::string& name);
+std::string sanitize_rule_name(const std::string& name);

 std::string wrap_text(const std::string& in, uint32_t indent, uint32_t linelen);

--- a/userspace/falco/falco_metrics.cpp
+++ b/userspace/falco/falco_metrics.cpp
@ -15,6 +15,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

+#include <re2/re2.h>
+
 #include "falco_metrics.h"

 #include "falco_utils.h"
@ -246,21 +248,68 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 		for (auto& metric: metrics_snapshot)
 		{
 			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-			std::string namespace_name = "scap";
+			std::string prometheus_subsystem = "scap";
 			
 			if (metric.flags & METRICS_V2_RESOURCE_UTILIZATION || metric.flags & METRICS_V2_KERNEL_COUNTERS)
 			{
-				namespace_name = "falco";
+				prometheus_subsystem = "falco";
 			}

 			if (metric.flags & METRICS_V2_PLUGINS)
 			{
-				namespace_name = "plugins";
+				prometheus_subsystem = "plugins";
 			}

-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", namespace_name);
+			if (strncmp(metric.name, "n_evts_cpu", 10) == 0 || strncmp(metric.name, "n_drops_cpu", 11) == 0) // prefix match
+			{
+				std::string name_str(metric.name);
+				re2::RE2 pattern("(\\d+)");
+				std::string cpu_number;
+				if (re2::RE2::PartialMatch(name_str, pattern, &cpu_number))
+				{
+					re2::RE2::GlobalReplace(&name_str, pattern, "");
+					auto metric_new = libs::metrics::libsinsp_metrics::new_metric(name_str.c_str(),
+								METRICS_V2_KERNEL_COUNTERS, // todo replace with new METRICS_V2_KERNEL_COUNTERS_PER_CPU after bumping libs the next time
+								METRIC_VALUE_TYPE_U64,
+								METRIC_VALUE_UNIT_COUNT,
+								METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+								metric.value.u64);
+					const std::map<std::string, std::string>& const_labels = {
+						{"cpu", cpu_number}
+					};
+					prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric_new, "falcosecurity", prometheus_subsystem, const_labels);
+				}
+			}
+			else if (strncmp(metric.name, "n_drops_buffer_total", 21) == 0) // exact match
+			{
+				continue;
+			}
+			else if (strncmp(metric.name, "n_drops_buffer", 14) == 0) // prefix match
+			{
+				re2::RE2 pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_(enter|exit)$");
+				std::string drop;
+				std::string dir;
+				std::string name_str(metric.name);
+				if (re2::RE2::FullMatch(name_str, pattern, &drop, &dir))
+				{
+					auto metric_new = libs::metrics::libsinsp_metrics::new_metric("n_drops_buffer",
+								METRICS_V2_KERNEL_COUNTERS,
+								METRIC_VALUE_TYPE_U64,
+								METRIC_VALUE_UNIT_COUNT,
+								METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+								metric.value.u64);
+					const std::map<std::string, std::string>& const_labels = {
+						{"drop", drop},
+						{"dir", dir}
+					};
+					prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric_new, "falcosecurity", prometheus_subsystem, const_labels);
+				}
+			}
+			else
+			{
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", prometheus_subsystem);
+			}
 		}
-
 	}
 	return prometheus_text;
 }
--- a/userspace/falco/stats_writer.cpp
+++ b/userspace/falco/stats_writer.cpp
@ -346,7 +346,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	{
 		fs::path fs_path = item.first;
 		std::string metric_name_file_sha256 = fs_path.filename().stem();
-		metric_name_file_sha256 = "falco.sha256_rules_file." + falco::utils::sanitize_metric_name(metric_name_file_sha256);
+		metric_name_file_sha256 = "falco.sha256_rules_file." + falco::utils::sanitize_rule_name(metric_name_file_sha256);
 		output_fields[metric_name_file_sha256] = item.second;
 	}

@ -354,7 +354,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	{
 		fs::path fs_path = item.first;
 		std::string metric_name_file_sha256 = fs_path.filename().stem();
-		metric_name_file_sha256 = "falco.sha256_config_file." + falco::utils::sanitize_metric_name(metric_name_file_sha256);
+		metric_name_file_sha256 = "falco.sha256_config_file." + falco::utils::sanitize_rule_name(metric_name_file_sha256);
 		output_fields[metric_name_file_sha256] = item.second;
 	}

@ -434,7 +434,7 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 				continue;
 			}
 			auto rule = rules.at(i);
-			std::string rules_metric_name = "falco.rules." + falco::utils::sanitize_metric_name(rule->name);
+			std::string rules_metric_name = "falco.rules." + falco::utils::sanitize_rule_name(rule->name);
 			output_fields[rules_metric_name] = rule_count;
 		}
 	}