Running Containers and Container Lifespan
Using Sophos Linux Sensor's container events, it's possible to query which containers have spun up, whether they're alive, and if not, how long they were alive. The query will return the most recent container events in descending order.
Required Tables
- container_events
Input Fields
The query can limit how many results are shown by replacing the default value of 10 in the query.
Returned Fields
| Field | Description |
|---|---|
| image_name | The name of the image |
| started | When the container was started |
| duration | How long it ran |
Query
SELECT image_name,
FROM_UNIXTIME(container_events.unix_nano_timestamp/1e9) AS started,
(exit_event.unix_nano_timestamp-container_events.unix_nano_timestamp)/1e9 AS duration
FROM container_events
LEFT OUTER JOIN
(SELECT unix_nano_timestamp, container_id
FROM container_events
WHERE event_type=3) AS exit_event
ON container_events.container_id = exit_event.container_id
WHERE event_type = 2 AND (exit_event.unix_nano_timestamp > container_events.unix_nano_timestamp OR exit_event.unix_nano_timestamp IS NULL)
ORDER BY container_events.unix_nano_timestamp DESC LIMIT 10