[lttng-tools.git] / doc / man / lttng-event-rule.7.txt

lttng-event-rule(7)
===================
:revdate: 18 May 2021


NAME
----
lttng-event-rule - Common LTTng event rule specification


SYNOPSIS
--------
Specify an event rule to match Linux kernel tracepoint or system call
events:

[verse]
option:--type=(**kernel:tracepoint** | **kernel:syscall**[**:entry**|**:exit**|**pass:[:entry+exit]**])]
pass:[[]option:--name='NAME'] [option:--filter='EXPR']

Specify an event rule to match Linux kernel kprobe or user space
probe events:

[verse]
option:--type=(**kernel:kprobe** | **kernel:uprobe**) option:--location='LOC'
pass:[[]option:--event-name='EVENTNAME']

Specify an event rule to match user space tracepoint events:

[verse]
option:--type=**user:tracepoint** [option:--name='NAME'] [option:--exclude-name='XNAME']...
pass:[[]option:--log-level=('LOGLEVEL' | 'LOGLEVEL'.. | ..)] [option:--filter='EXPR']

Specify an event rule to match Java/Python logging events:

[verse]
option:--type=(**jul** | **log4j** | **log4j2** | **python**)**:logging** [option:--name='NAME']
pass:[[]option:--log-level=('LOGLEVEL' | 'LOGLEVEL'.. | ..)] [option:--filter='EXPR']


DESCRIPTION
-----------
This manual page shows how to specify an LTTng event rule on the command
line.

As of LTTng{nbsp}{lttng_version}, the command-line options documented
here only apply to the `event-rule-matches` trigger condition specifier
(see man:lttng-add-trigger(1)).

See man:lttng-concepts(7) to learn more about instrumentation points,
events, and event rules.

[NOTE]
====
This manual page only describes the common event rule options. The
man:lttng(1) commands which require an event rule specification may
accept or require other options and arguments, depending on the context.

For example, the man:lttng-add-trigger(1) command also accepts
nloption:--capture options with the `event-rule-matches` trigger
condition.
====


Overview of event rule condtions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For LTTng to emit an event{nbsp}__E__,{nbsp}__E__ must satisfy *all* the
conditions of an event rule, that is:

* The instrumentation point from which LTTng creates{nbsp}__E__ has a
  specific type.
+
See the ``<<inst-point-type-cond,Instrumentation point type
condition>>'' section below.

* A pattern matches the name of{nbsp}__E__ while another pattern
  doesn't.
+
See the ``<<event-name-cond,Event name condition>>'' section below.

* The log level of the instrumentation point from which LTTng
  creates{nbsp}__E__ is at least as severe as some value, or is exactly
  some value.
+
See the ``<<inst-point-log-level-cond,Instrumentation point log level
condition>>'' section below.

* The fields of the payload of{nbsp}__E__ and the current context fields
  satisfy a filter expression.
+
See the ``<<filter-cond,Event payload and context filter condition>>''
section below.

The dedicated command-line options of most conditions are optional: if
you don't specify the option, the associated condition is always
satisfied.


[[inst-point-type-cond]]
Instrumentation point type condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An event{nbsp}__E__ satisfies the instrumentation point type condition
of an event rule if the instrumentation point from which LTTng
creates{nbsp}__E__ is, depending on the argument of the option:--type
option:

`kernel:tracepoint`::
    An LTTng kernel tracepoint, that is, a statically defined point
    in the source code of the kernel image or of a kernel module
    with LTTng kernel tracer macros.
+
List the available Linux kernel tracepoints with `lttng list --kernel`.
See man:lttng-list(1) to learn more.

`kernel:syscall:entry`::
`kernel:syscall:exit`::
`kernel:syscall:entry+exit`::
    The entry, exit, or entry and exit of a Linux kernel system
    call.
+
List the available Linux kernel system call instrumentation points with
`lttng list --kernel --syscall`. See man:lttng-list(1) to learn more.

`kernel:kprobe`::
    A Linux kprobe, that is, a single probe dynamically placed in
    the compiled kernel code.
+
You must specify the kprobe location with the option:--location option.
+
The payload of a Linux kprobe event is empty.

`kernel:uprobe`::
    A Linux user space probe, that is, a single probe dynamically
    placed at the entry of a compiled user space application/library
    function through the kernel.
+
LTTng{nbsp}{lttng_version} supports the ELF and SystemTap User-level
Statically Defined Tracing (USDT; a DTrace-style marker) probing
methods. LTTng only supports USDT probes which are :not:
reference-counted.
+
You must specify the user space probe location with the
option:--location option.
+
The payload of a Linux user space probe event is empty.

`user:tracepoint`::
    An LTTng user space tracepoint, that is, a statically defined point
    in the source code of a C/$$C++$$ application/library with LTTng
    user space tracer macros.
+
List the available user space tracepoints with `lttng list --userspace`.
See man:lttng-list(1) to learn more.

`jul:logging`::
    A `java.util.logging` logging statement.
+
List the available `java.util.logging` loggers with `lttng list --jul`
See man:lttng-list(1) to learn more.

`log4j:logging`::
    An Apache Log4j 1.x logging statement.
+
List the available Apache Log4j 1.x loggers with `lttng list --log4j`
See man:lttng-list(1) to learn more.

`log4j2:logging`::
    An Apache Log4j 2 logging statement.
+
List the available Apache Log4j 2 loggers with `lttng list --log4j2`
See man:lttng-list(1) to learn more.

`python:logging`::
    A Python logging statement.
+
List the available Python loggers with `lttng list --python` See
man:lttng-list(1) to learn more.


[[event-name-cond]]
Event name condition
~~~~~~~~~~~~~~~~~~~~
An event{nbsp}__E__ satisfies the event name condition of an event
rule{nbsp}__ER__ if the two following statements are true:

* You don't specify the option:--name='NAME' option or, depending on the
  instrumentation type condition (see the
  ``<<inst-point-type-cond,Instrumentation point type condition>>''
  section above) of{nbsp}__ER__, 'NAME' matches:
+
--
`kernel:tracepoint`::
`user:tracepoint`::
    The full name of the tracepoint from which LTTng creates{nbsp}__E__.
+
Note that the full name of a user space tracepoint is
__PROVIDER__++:++__NAME__, where __PROVIDER__ is the tracepoint provider
name and __NAME__ is the tracepoint name.

`jul:logging`::
`log4j:logging`::
`log4j2:logging`::
`python:logging`::
    The name of the Java or Python logger from which LTTng
    creates{nbsp}__E__.

`kernel:syscall:entry`::
`kernel:syscall:exit`::
`kernel:syscall:entry+exit`::
    The name of the system call, without any `sys_` prefix, from which
    LTTng creates{nbsp}__E__.
--

* You don't specify any option:--exclude-name='XNAME' option or
  none of the 'XNAME' arguments matches the full name of the user space
  tracepoint from which LTTng creates{nbsp}__E__.
+
The option:--exclude-name option is only available with the
option:--type=++user:tracepoint++ option.

This condition is only meaningful for the LTTng tracepoint, logging
statement, and Linux system call instrumentation point types: it's
always satisfied for the other types.

In all cases, 'NAME' and 'XNAME' are globbing patterns: the `*`
character means ``match anything''. To match a literal `*` character,
use :escwc:.

IMPORTANT: Make sure to **single-quote** 'NAME' and 'XNAME' when they
contain the `*` character and when you run an man:lttng(1) command from
a shell.

As of LTTng{nbsp}{lttng_version}, not specifying the option:--name
option is equivalent to specifying option:--name=++\'*\'++, but this
default may change in the future.


[[inst-point-log-level-cond]]
Instrumentation point log level condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An event{nbsp}__E__ satisfies the instrumentation point log level
condition of an event rule if either:

* You specify the option:--log-level=++..++ option or you don't specify
  the option:--log-level option.
+
Defaulting to option:--log-level=++..++ when you don't specify the
option:--log-level option is specific to LTTng{nbsp}{lttng_version} and
may change in the future.

* The log level of the LTTng user space tracepoint or logging statement
  from which LTTng creates{nbsp}__E__ is:
      With the option:--log-level=__LOGLEVEL__++..++ option::
          At least as severe as 'LOGLEVEL'.

      With the option:--log-level=__LOGLEVEL__ option::
          Exactly 'LOGLEVEL'.

As of LTTng{nbsp}{lttng_version}, the ++..++__LOGLEVEL__ and
__LOGLEVEL__++..++__LOGLEVEL__ formats are :not: supported.

This condition is only meaningful for the LTTng user space tracepoint
and logging statement instrumentation point types: it's always satisfied
for other types.

The available values of 'LOGLEVEL' are, depending on the argument of
the option:--type option, from the most to the least severe:

`user:tracepoint`::
+
* `EMERG` (0)
* `ALERT` (1)
* `CRIT` (2)
* `ERR` (3)
* `WARNING` (4)
* `NOTICE` (5)
* `INFO` (6)
* `DEBUG_SYSTEM` (7)
* `DEBUG_PROGRAM` (8)
* `DEBUG_PROCESS` (9)
* `DEBUG_MODULE` (10)
* `DEBUG_UNIT` (11)
* `DEBUG_FUNCTION` (12)
* `DEBUG_LINE` (13)
* `DEBUG` (14)

`jul:logging`::
+
* `OFF` (`INT32_MAX`)
* `SEVERE` (1000)
* `WARNING` (900)
* `INFO` (800)
* `CONFIG` (700)
* `FINE` (500)
* `FINER` (400)
* `FINEST` (300)
* `ALL` (`INT32_MIN`)

`log4j:logging`::
+
* `OFF` (`INT32_MAX`)
* `FATAL` (50000)
* `ERROR` (40000)
* `WARN` (30000)
* `INFO` (20000)
* `DEBUG` (10000)
* `TRACE` (5000)
* `ALL` (`INT32_MIN`)

`log4j2:logging`::
+
* `OFF` (`0`)
* `FATAL` (100)
* `ERROR` (200)
* `WARN` (300)
* `INFO` (400)
* `DEBUG` (500)
* `TRACE` (600)
* `ALL` (`INT32_MAX`)

`python:logging`::
+
* `CRITICAL` (50)
* `ERROR` (40)
* `WARNING` (30)
* `INFO` (20)
* `DEBUG` (10)
* `NOTSET` (0)


[[filter-cond]]
Event payload and context filter condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An event{nbsp}__E__ satisfies the event payload and context filter
condition of an event rule if the option:--filter='EXPR' option is
missing or if 'EXPR' is _true_.

This condition is only meaningful for the LTTng tracepoint and Linux
system call instrumentation point types: it's always satisfied for other
types.

'EXPR' can contain references to the payload fields of{nbsp}__E__ and
to the current context fields.

IMPORTANT: Make sure to **single-quote** 'EXPR' when you run an
man:lttng(1) command from a shell, as filter expressions typically
include characters having a special meaning for most shells.

The expected syntax of 'EXPR' is similar to the syntax of a
C{nbsp}language conditional expression (an expression which an `if`
statement can evaluate), but there are a few differences:

* A _NAME_ expression identifies an event payload field named
  _NAME_ (a C{nbsp}identifier).
+
Use the C{nbsp}language dot and square bracket notations to access
nested structure and array/sequence fields. You can only use a constant,
positive integer number within square brackets. If the index is out of
bounds, 'EXPR' is _false_.
+
The value of an enumeration field is an integer.
+
When a field expression doesn't exist, 'EXPR' is _false_.
+
Examples: `my_field`, `target_cpu`, `seq[7]`, `msg.user[1].data[2][17]`.

* A ++$ctx.++__TYPE__ expression identifies the statically-known context
  field having the type _TYPE_ (a C{nbsp}identifier).
+
List the available statically-known context field names with the
man:lttng-add-context(1) command.
+
When a field expression doesn't exist, 'EXPR' is _false_.
+
Examples: `$ctx.prio`, `$ctx.preemptible`,
`$ctx.perf:cpu:stalled-cycles-frontend`.

* A ++$app.++__PROVIDER__++:++__TYPE__ expression identifies the
  application-specific context field having the type _TYPE_ (a
  C{nbsp}identifier) from the provider _PROVIDER_ (a C{nbsp}identifier).
+
When a field expression doesn't exist, 'EXPR' is _false_.
+
Example: `$app.server:cur_user`.

* Compare strings, either string fields or string literals
  (double-quoted), with the `==` and `!=` operators.
+
When comparing to a string literal, the `*` character means ``match
anything''. To match a literal `*` character, use :escwc:.
+
Examples: `my_field == "user34"`, `my_field == my_other_field`,
`my_field == "192.168.*"`.

* The precedence table of the operators which are supported in 'EXPR'
  is as follows. In this table, the highest precedence is{nbsp}1:
+
[options="header"]
|===
|Precedence |Operator |Description |Associativity
|1 |`-` |Unary minus |Right-to-left
|1 |`+` |Unary plus |Right-to-left
|1 |`!` |Logical NOT |Right-to-left
|1 |`~` |Bitwise NOT |Right-to-left
|2 |`<<` |Bitwise left shift |Left-to-right
|2 |`>>` |Bitwise right shift |Left-to-right
|3 |`&` |Bitwise AND |Left-to-right
|4 |`^` |Bitwise XOR |Left-to-right
|5 |`\|` |Bitwise OR |Left-to-right
|6 |`<` |Less than |Left-to-right
|6 |`<=` |Less than or equal to |Left-to-right
|6 |`>` |Greater than |Left-to-right
|6 |`>=` |Greater than or equal to |Left-to-right
|7 |`==` |Equal to |Left-to-right
|7 |`!=` |Not equal to |Left-to-right
|8 |`&&` |Logical AND |Left-to-right
|9 |`\|\|` |Logical OR |Left-to-right
|===
+
Parentheses are supported to bypass the default order.
+
IMPORTANT: Unlike the C{nbsp}language, the bitwise AND and OR operators
(`&` and `|`) in 'EXPR' take precedence over relational operators (`<`,
`<=`, `>`, `>=`, `==`, and `!=`). This means the expression `2 & 2 == 2`
is _true_ while the equivalent C{nbsp}expression is _false_.
+
The arithmetic operators are :not: supported.
+
LTTng first casts all integer constants and fields to signed 64-bit
integers. The representation of negative integers is two's complement.
This means that, for example, the signed 8-bit integer field 0xff (-1)
becomes 0xffffffffffffffff (still -1) once casted.
+
Before a bitwise operator is applied, LTTng casts all its operands to
unsigned 64-bit integers, and then casts the result back to a signed
64-bit integer. For the bitwise NOT operator, it's the equivalent of
this C{nbsp}expression:
+
[source,c]
----
(int64_t) ~((uint64_t) val)
----
+
For the binary bitwise operators, it's the equivalent of those
C{nbsp}expressions:
+
[source,c]
----
(int64_t) ((uint64_t) lhs >> (uint64_t) rhs)
(int64_t) ((uint64_t) lhs << (uint64_t) rhs)
(int64_t) ((uint64_t) lhs & (uint64_t) rhs)
(int64_t) ((uint64_t) lhs ^ (uint64_t) rhs)
(int64_t) ((uint64_t) lhs | (uint64_t) rhs)
----
+
If the right-hand side of a bitwise shift operator (`<<` and `>>`) is
not in the [0,{nbsp}63] range, then 'EXPR' is _false_.

'EXPR' examples:

----------------------------
msg_id == 23 && size >= 2048
----------------------------

-------------------------------------------------
$ctx.procname == "lttng*" && (!flag || poel < 34)
-------------------------------------------------

---------------------------------------------------------
$app.my_provider:my_context == 17.34e9 || some_enum >= 14
---------------------------------------------------------

---------------------------------------
$ctx.cpu_id == 2 && filename != "*.log"
---------------------------------------

------------------------------------------------
eax_reg & 0xff7 == 0x240 && x[4] >> 12 <= 0x1234
------------------------------------------------


Migration from a recording event rule specification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since LTTng{nbsp}2.13, what this manual page documents is the standard,
common way to specify an LTTng event rule.

With the man:lttng-enable-event(1) command, you also specify an event
rule, but with deprecated options and arguments.

The following table shows how to translate from the
man:lttng-enable-event(1) options and arguments to the common event
rule specification options:

[options="header"]
|===
|Recording event rule option(s)/argument(s) |Common event rule option(s)

|nloption:--kernel and nloption:--tracepoint
|option:--type=++kernel:tracepoint++

|nloption:--kernel and nloption:--syscall
|option:--type=++kernel:syscall:entry+exit++

|nloption:--probe='LOC' and 'RECORDNAME' (non-option)
|option:--type=++kernel:kprobe++, option:--location='LOC', and
option:--event-name='RECORDNAME'

|nloption:--userspace-probe='LOC' and 'RECORDNAME' (non-option)
|option:--type=++kernel:uprobe++, option:--location='LOC', and
option:--event-name='RECORDNAME'

|nloption:--function='LOC' and 'RECORDNAME' (non-option)
|Not available as of LTTng{nbsp}{lttng_version}

|nloption:--userspace and nloption:--tracepoint
|option:--type=++user:tracepoint++

|nloption:--jul and nloption:--tracepoint
|option:--type=++jul:logging++

|nloption:--log4j and nloption:--tracepoint
|option:--type=++log4j:logging++

|nloption:--log4j2 and nloption:--tracepoint
|option:--type=++log4j2:logging++

|nloption:--python and nloption:--tracepoint
|option:--type=++python:logging++

|'NAME' (non-option)
|option:--name='NAME'

|nloption:--all
|option:--name=++\'*\'++ or no option:--name option

|nloption:--exclude=__XNAME__[++,++__XNAME__]...
|option:--exclude-name='XNAME' for each 'XNAME'

|nloption:--loglevel='LOGLEVEL'
|option:--log-level=__LOGLEVEL__++..++

|nloption:--loglevel-only='LOGLEVEL'
|option:--log-level=__LOGLEVEL__

|nloption:--filter='EXPR'
|option:--filter='EXPR'
|===


OPTIONS
-------
Instrumentation point type condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
See the ``<<inst-point-type-cond,Instrumentation point type
condition>>'' section above.

option:-E 'NAME', option:--event-name='NAME'::
    With the option:--type=++kernel:kprobe++ or
    option:--type=++kernel:uprobe++ option, set the name of the emitted
    events to 'NAME' instead of the 'LOC' argument of the
    option:--location='LOC' option.
+
Defaulting to 'LOC' is specific to LTTng{nbsp}{lttng_version} and may
change in the future.

option:-L 'LOC', option:--location='LOC'::
    With the option:--type=++kernel:kprobe++ option:::
        Set the location of the Linux kprobe to insert to 'LOC'.
+
'LOC' is one of:
+
* An address (`0x` hexadecimal prefix supported).
* A symbol name.
* A symbol name and an offset (__SYMBOL__++pass:[+]++__OFFSET__ format).

    With the option:--type=++kernel:uprobe++ option:::
        Set the location of the user space probe to insert to 'LOC'.
+
'LOC' is one of:
+
\[++elf:++]__PATH__++:++__SYMBOL__::::
    An available symbol within a user space application or library.
+
--
'PATH'::
    Application or library path.
+
One of:
+
* An absolute path.
* A relative path.
* The name of an application as found in the directories listed in the
  `PATH` environment variable.

'SYMBOL'::
    Symbol name of the function of which to instrument the entry.
+
'SYMBOL' can be any defined code symbol in the output of the man:nm(1)
command, including with its nloption:--dynamic option, which lists
dynamic symbols.
--
+
As of LTTng{nbsp}{lttng_version}, not specifying `elf:` is equivalent to
specifying it, but this default may change in the future.
+
Examples:
+
* `/usr/lib/libc.so.6:malloc`
* `./myapp:createUser`
* `elf:httpd:ap_run_open_htaccess`

++sdt:++__PATH__++:++__PROVIDER__++:++__NAME__::::
    A SystemTap User-level Statically Defined Tracing (USDT) probe
    within a user space application or library.
+
--
'PATH'::
    Application or library path.
+
This can be:
+
* An absolute path.
* A relative path.
* The name of an application as found in the directories listed in the
  `PATH` environment variable.

'PROVIDER'::
'NAME'::
    USDT provider and probe names.
+
For example, with the following USDT probe:
+
[source,c]
----
DTRACE_PROBE2("server", "accept_request",
              request_id, ip_addr);
----
+
The provider/probe name pair is `server:accept_request`.
--
+
Example: `sdt:./build/server:server:accept_request`

option:-t 'TYPE', option:--type='TYPE'::
    Only match events which LTTng creates from an instrumentation point
    having the type 'TYPE'.
+
'TYPE' is one of:
+
`kernel:tracepoint`:::
    LTTng kernel tracepoint.
+
As of LTTng{nbsp}{lttng_version}, `kernel` is an alias, but this may
change in the future.

`user:tracepoint`:::
    LTTng user space tracepoint.
+
As of LTTng{nbsp}{lttng_version}, `user` is an alias, but this may
change in the future.

`kernel:syscall:entry`:::
    Linux system call entry.
+
As of LTTng{nbsp}{lttng_version}, `syscall:entry` is an alias, but this
may change in the future.

`kernel:syscall:exit`:::
    Linux system call exit.
+
As of LTTng{nbsp}{lttng_version}, `syscall:exit` is an alias, but this
may change in the future.

`kernel:syscall:entry+exit`:::
    Linux system call entry and exit (two distinct instrumentation
    points).
+
As of LTTng{nbsp}{lttng_version}, the following are aliases, but this
may change in the future:
+
* `syscall:entry+exit`
* `kernel:syscall`
* `syscall`

`kernel:kprobe`:::
    Linux kprobe.
+
As of LTTng{nbsp}{lttng_version}, `kprobe` is an alias, but this may
change in the future.
+
You must specify the location of the kprobe to insert with the
option:--location option.
+
You may specify the name of the emitted events with the
option:--event-name option.

`kernel:uprobe`:::
    Linux user space probe.
+
You must specify the location of the user space probe to insert with the
option:--location option.
+
You may specify the name of the emitted events with the
option:--event-name option.

`jul:logging`:::
    `java.util.logging` logging statement.
+
As of LTTng{nbsp}{lttng_version}, `jul` is an alias, but this may change
in the future.

`log4j:logging`:::
    Apache Log4j 1.x logging statement.
+
As of LTTng{nbsp}{lttng_version}, `log4j` is an alias, but this may
change in the future.

`log4j2:logging`:::
    Apache Log4j 2 logging statement.
+
As of LTTng{nbsp}{lttng_version}, `log4j2` is an alias, but this may
change in the future.

`python:logging`:::
    Python logging statement.
+
As of LTTng{nbsp}{lttng_version}, `python` is an alias, but this may
change in the future.


Event name condition
~~~~~~~~~~~~~~~~~~~~
See the ``<<event-name-cond,Event name condition>>'' section above.

option:-n 'NAME', option:--name='NAME'::
    Only match events of which 'NAME' matches, depending on the
    argument of the option:--type option:
+
--
`kernel:tracepoint`::
`user:tracepoint`::
    The full name of the LTTng tracepoint.

`jul:logging`::
`log4j:logging`::
`log4j2:logging`::
`python:logging`::
    The Java or Python logger name.

`kernel:syscall:entry`::
`kernel:syscall:exit`::
`kernel:syscall:entry+exit`::
    The name of the system call, without any `sys_` prefix.
--
+
This option is :not: available with other instrumentation point types.
+
As of LTTng{nbsp}{lttng_version}, not specifying this option is
equivalent to specifying option:--name=++\'*\'++ (when it applies), but
this default may change in the future.

option:-x 'XNAME', option:--exclude-name='XNAME'::
    Only match events of which 'XNAME' does :not: match the full name of
    the LTTng user space tracepoint.
+
Only available with the option:--type=++user:tracepoint++ option.

'NAME' and 'XNAME' are globbing patterns: the `*` character means
``match anything''. To match a literal `*` character, use :escwc:.


Instrumentation point log level condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
See the ``<<inst-point-log-level-cond,Instrumentation point log level
condition>>'' section above.

option:-l 'LOGLEVELSPEC', option:--log-level='LOGLEVELSPEC'::
    Only match events of which the log level of the LTTng tracepoint or
    logging statement is, depending on the format of 'LOGLEVELSPEC':
+
--
__LOGLEVEL__++..++::
    At least as severe as 'LOGLEVEL'.

'LOGLEVEL'::
    Exactly 'LOGLEVEL'.

++..++::
    Anything.
--
+
This option is :not: available with the following options:
+
* option:--type=++kernel:tracepoint++
* option:--type=++kernel:syscall:entry++
* option:--type=++kernel:syscall:exit++
* option:--type=++kernel:syscall:entry+exit++
* option:--type=++kernel:kprobe++
* option:--type=++kernel:uprobe++
+
As of LTTng{nbsp}{lttng_version}, not specifying this option is
equivalent to specifying option:--log-level=++..++ (when it applies),
but this default may change in the future.


Event payload and context filter condition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
See the ``<<filter-cond,Event payload and context filter condition>>''
section above.

option:-f 'EXPR', option:--filter='EXPR'::
    Only match events of which 'EXPR', which can contain references to
    event payload and current context fields, is _true_.
+
This option is only available with the following options:
+
* option:--type=++kernel:tracepoint++
* option:--type=++kernel:syscall:entry++
* option:--type=++kernel:syscall:exit++
* option:--type=++kernel:syscall:entry+exit++


include::common-footer.txt[]


SEE ALSO
--------
man:lttng(1),
man:lttng-add-trigger(1),
man:lttng-list(1),
man:lttng-concepts(7)