sysdig: Information overload

I have seen several sites and software lists that include sysdig, usually with high praise for providing an unmatched level of insight into the inner workings of a system.

And that, I cannot dispute. I can’t think of a tool that spools quite the volume of raw data — and I do mean volume and I do mean raw — as sysdig can.


That was just a smidgin — a smidgin, I tell you — of what sysdig started piping to my terminal. Vast volumes of internal clock checks, software requests, hardware reports … you name it. Everything stamped and logged, and open for scrutiny.

In that sense, sysdig does a terrific job of giving you the aforementioned unmatched level of insight into the inner workings of your system.

My problem is, there is so much raw data and so much detail in the information, I honestly don’t know what to do with it.

Seriously: Barely 30 seconds or so of sysdig’s output, piped into a plain text file, resulted in 20 megabytes — and I spelled that out as megabytes so there wouldn’t be any confusion — of raw text data. And that’s on a 12-year-old desktop system running a smattering of desktop applications. I can’t imagine what kind of volume would appear in a proper, high-end system doing real work, like a web server.

On top of that, sysdig itself is a rather taxing application … or at least it is on the hardware I run. While sysdig is doing its thing, I get lags while typing, skipping music playback, etc., etc. It’s obvious that tracking detail at that level is imposing a serious drag on the system. Observer effect, anyone?

sysdig in Arch will build a special module that must be inserted to get sysdig to work. I didn’t try Debian yet; my Linux Mint machine is offline for a day or so, for misbehaving. (I also occasionally punish my TV for saying rude things, so this is not unexpected.)

I won’t duplicate the glowing praise that sysdig gets in other circles, just because there seems to be a heavy tradeoff in using it, from my standpoint. Yes, it will let you see every clock sync between your hardware and software, and you’ll see exactly when the downbeat of “Bring da Ruckus” leaves your music player and departs your speakers.

But you’ll need a degree of power to keep both the system and sysdig afloat at the same time. I’m guessing if your machine predates the Pentium 4 generation, you might have trouble with that. Just so you know. 😐