Updated ebpf input plugin doc with new config options and cleanup. Fixes #2239.

eschabell · eschabell · commit e68ae1a9c125 · 2025-11-28T13:34:06.000+01:00
Signed-off-by: Eric D. Schabell &lt;eric@schabell.org&gt;
diff --git a/pipeline/inputs/ebpf.md b/pipeline/inputs/ebpf.md
@@ -8,6 +8,16 @@ The `in_ebpf` input plugin uses eBPF (extended Berkeley Packet Filter) to captur
 
 The `in_ebpf` plugin leverages eBPF to trace kernel events in real-time. By specifying trace points, users can collect targeted system-level metrics and events, giving visibility into operating system interactions and performance characteristics.
 
+## Configuration parameters
+
+The plugin supports the following configuration parameters:
+
+| Key | Description | Default |
+|:----|:------------|:--------|
+| `poll_ms` | Set the polling interval in milliseconds for collecting events from the ring buffer. | `1000` |
+| `ringbuf_map_name` | Set the name of the eBPF ring buffer map to read events from. | `events` |
+| `trace` | Set the eBPF trace to enable (for example, `trace_bind`, `trace_malloc`, `trace_signal`). Can be set multiple times to enable multiple traces. | _none_ |
+
 ## System dependencies
 
 To enable `in_ebpf`, ensure the following dependencies are installed on your system:
@@ -75,6 +85,7 @@ Here's a basic example of how to configure the plugin:
 pipeline:
   inputs:
     - name: ebpf
+      poll_ms: 500
       trace:
         - trace_signal
         - trace_malloc
@@ -87,6 +98,7 @@ pipeline:
 ```text
 [INPUT]
   Name          ebpf
+  Poll_Ms       500
   Trace         trace_signal
   Trace         trace_malloc
   Trace         trace_bind
@@ -103,3 +115,49 @@ The configuration enables tracing for:
 
 You can enable multiple traces by adding multiple `Trace` directives in your configuration.
 Full list of existing traces can be seen here: [Fluent Bit eBPF Traces](https://github.com/fluent/fluent-bit/tree/master/plugins/in_ebpf/traces)
+
+## Output fields
+
+Each trace produces records with common fields and trace-specific fields.
+
+### Common fields
+
+All traces include the following fields:
+
+| Field | Description |
+|:------|:------------|
+| `event_type` | Type of event (`signal`, `malloc`, or `bind`). |
+| `pid` | Process ID that generated the event. |
+| `tid` | Thread ID that generated the event. |
+| `comm` | Command name (process name) that generated the event. |
+
+### Signal trace fields
+
+The `trace_signal` trace includes these additional fields:
+
+| Field | Description |
+|:------|:------------|
+| `signal` | Signal number that was sent. |
+| `tpid` | Target process ID that received the signal. |
+
+### Memory trace fields
+
+The `trace_malloc` trace includes these additional fields:
+
+| Field | Description |
+|:------|:------------|
+| `operation` | Memory operation type (for example, `0` = `malloc`, `1` = `free`, `2` = `calloc`, `3` = `realloc`). |
+| `address` | Memory address of the operation. |
+| `size` | Size of the memory operation in bytes. |
+
+### Bind trace fields
+
+The `trace_bind` trace includes these additional fields:
+
+| Field | Description |
+|:------|:------------|
+| `uid` | User ID of the process. |
+| `gid` | Group ID of the process. |
+| `port` | Port number the socket is binding to. |
+| `bound_dev_if` | Network device interface the socket is bound to. |
+| `error_raw` | Error code for the bind operation (`0` indicates success). |
