Skip to main content
Core event sections are generated directly by Retis and cannot be disabled. They provide fundamental information about when, where, and in what context an event occurred.

Common Section

The common section is always present in every event. It contains temporal and execution context information.
timestamp
u64
required
Event timestamp in nanoseconds. The clock source and format depend on configuration.
smp_id
u32
SMP processor ID where the event was captured.
task
TaskEvent
Information about the Linux task that triggered the event.

TaskEvent Fields

Display Format

{timestamp} ({smp_id}) [{comm}] {pid}/{tgid}
If pid equals tgid, only tgid is shown.

Example JSON

{
  "common": {
    "timestamp": 7322460997041,
    "smp_id": 2,
    "task": {
      "pid": 1234,
      "tgid": 1234,
      "comm": "curl"
    }
  }
}

Kernel Section

The kernel section appears when an event is generated from a kernel probe (kprobe, kretprobe, or raw tracepoint).
symbol
string
required
Name of the kernel function or tracepoint where the event was captured.
probe_type
string
required
Type of probe. One of:
  • "kprobe" - Kernel probe
  • "kretprobe" - Kernel return probe
  • "raw_tracepoint" - Raw tracepoint
stack_trace
StackTrace
Kernel stack trace at the probe location (when enabled).

StackTrace

Display Format

[{probe_abbr}] {symbol}
Probe abbreviations:
  • [k] for kprobe
  • [kr] for kretprobe
  • [tp] for raw_tracepoint

Example JSON

{
  "kernel": {
    "symbol": "kfree_skb_reason",
    "probe_type": "kprobe",
    "stack_trace": [
      "kfree_skb_reason",
      "tcp_v4_rcv",
      "ip_local_deliver_finish",
      "ip_local_deliver"
    ]
  }
}

Userspace Section

The userspace section appears when an event is generated from a userspace probe (currently only USDT).
probe_type
string
required
Type of userspace probe. Currently only "usdt" is supported.
symbol
string
required
Symbol name of the probe that generated the event.
ip
u64
required
Instruction pointer - address of the symbol associated with the event.
path
string
required
Full path to the binary containing the probe.
pid
i32
required
Process ID where the probe fired.
tid
i32
required
Thread ID where the probe fired.

Display Format

[u] {symbol} ({binary_name})

Example JSON

{
  "userspace": {
    "probe_type": "usdt",
    "symbol": "http__server__request",
    "ip": 140737353940123,
    "path": "/usr/bin/node",
    "pid": 5678,
    "tid": 5680
  }
}

Startup Section

The startup section is emitted once when a collection starts. It contains metadata about the collection environment.
retis_version
string
required
Version of Retis used to collect the events.
cmdline
string
required
Full command line used to invoke Retis.
clock_monotonic_offset
TimeSpec
required
CLOCK_MONOTONIC offset relative to local machine time, used for UTC conversion during post-processing.
machine
MachineInfo
required
Information about the machine where events were collected.
split_file
SplitFile
Information about file splitting if rotation is enabled.

MachineInfo Fields

Example JSON

{
  "startup": {
    "retis_version": "1.0.0",
    "cmdline": "retis collect -c skb,skb-tracking",
    "clock_monotonic_offset": {
      "tv_sec": 1678901234,
      "tv_nsec": 567890123
    },
    "machine": {
      "kernel_release": "6.0.8-300.fc37.x86_64",
      "kernel_version": "#1 SMP PREEMPT_DYNAMIC",
      "hardware_name": "x86_64"
    }
  }
}
The startup section appears only once per collection, not in every event. It provides global context for interpreting all subsequent events.

Build docs developers (and LLMs) love

Get started for freeTalk to us