PatternFilter

PatternFilter support regex pattern to filter data.

class duetector.filters.pattern.PatternFilter(config: Config | dict[str, Any] | None = None, *args, **kwargs)[source]

A Filter support regex pattern to filter data.

There are following config build-in:

Customize exclude is also supported:

You can change custom to any field you want to filter out.

Config enable_customize_exclude to enable customize exclude, default is True.

Use (?!…) for include pattern:

Note

We using python literal to parse config, so you can use environment variable to pass list:
- Recommended: {PREFIX...}RE_EXCLUDE_FNAME="['/proc*', '/sys*']".
- Remember to quote the value, otherwise it will be parsed as a expression, e.g. {PREFIX...}RE_EXCLUDE_FNAME=[/proc*] will cause SyntaxError or ValueError. and will fallback to split by comma.

So either use python literal or string split by comma:

Recommended: {PREFIX...}RE_EXCLUDE_FNAME="['/proc*', '/sys*']"
It’s OK: {PREFIX...}RE_EXCLUDE_FNAME="/proc*, /sys*"
Wrong: {PREFIX...}RE_EXCLUDE_FNAME=[/proc*, /sys*], this will be converted to a list of "[/proc*" and "/sys*]".

static _wrap_exclude_list(value: str | list[str]) → set[str][source]: Wrap exclude list to list if it’s not a list

default_config = {'disabled': False, 'enable_customize_exclude': True, 'exclude_gid': [0], 'exclude_pid': [], 'exclude_uid': [0], 'ignore_current_pid': True, 're_exclude_comm': [], 're_exclude_fname': ['/proc', '/sys', '/lib', '/dev', '/run', '/usr/lib', '/etc/ld.so.cache']}: Default config for PatternFilter

filter(data: namedtuple) → namedtuple | None[source]: Filter data, return None to drop data, return data to keep data.

is_exclude(data: namedtuple, enable_customize_exclude=False) → bool[source]: Customize exclude function, return True to drop data, return False to keep data.

re_exclude(field: str | None, re_list: str | list[str]) → bool[source]: Check if field match any pattern in re_list