refactor(flags)!: extract sort-events from options

josedonizetti · josedonizetti · commit 209d12511ce8 · 2026-01-18T09:46:14.000-03:00
diff --git a/deploy/helm/tracee/templates/tracee-config.yaml b/deploy/helm/tracee/templates/tracee-config.yaml
@@ -151,7 +151,7 @@ data:
             stack-addresses: {{ .Values.config.output.options.stackAddresses }}
             exec-env: {{ .Values.config.output.options.execEnv }}
             exec-hash: {{ .Values.config.output.options.execHash }}
-            sort-events: {{ .Values.config.output.options.sortEvents }}
+        sort-events: {{ .Values.config.output.sortEvents }}
         {{- with .Values.config.output.webhook }}
         webhook:
             - {{ .name | default "webhook1" }}:
diff --git a/deploy/helm/tracee/values.yaml b/deploy/helm/tracee/values.yaml
@@ -133,7 +133,7 @@ config:
       stackAddresses: false
       execEnv: false
       execHash: dev-inode
-      sortEvents: false
+    sortEvents: false
     # uncomment config.output.webhook to enable a single webhook
     # to configure multiple webhooks, use the configFile field
     # webhook:
diff --git a/deploy/kubernetes/tracee/tracee.yaml b/deploy/kubernetes/tracee/tracee.yaml
@@ -59,7 +59,7 @@ data:
             stack-addresses: false
             exec-env: false
             exec-hash: dev-inode
-            sort-events: false
+        sort-events: false
 ---
 # Source: tracee/templates/role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/docs/docs/flags/output.1.md b/docs/docs/flags/output.1.md
@@ -11,7 +11,7 @@ tracee **\-\-output** - Control how and where output is printed
 
 ## SYNOPSIS
 
-tracee **\-\-output** destinations.*name*.*field*=*value* | option:{stack-addresses,exec-env,exec-hash[={inode,dev-inode,digest-inode}],parse-arguments,parse-arguments-fds,sort-events}
+tracee **\-\-output** destinations.*name*.*field*=*value* | option:{stack-addresses,exec-env,exec-hash[={inode,dev-inode,digest-inode}],parse-arguments,parse-arguments-fds} | sort-events
 
 
 ## DESCRIPTION
@@ -37,7 +37,7 @@ Output destinations are configured using the format: `--output destinations.<nam
 
 ### Output Options
 
-- **option:{stack-addresses,exec-env,exec-hash,parse-arguments,parse-arguments-fds,sort-events}**: Augment output according to the given options. Multiple options can be specified, separated by commas.
+- **option:{stack-addresses,exec-env,exec-hash,parse-arguments,parse-arguments-fds}**: Augment output according to the given options. Multiple options can be specified, separated by commas.
 
   - **stack-addresses**: Include stack memory addresses for each event.
   - **exec-env**: When tracing execve/execveat, show the environment variables that were used for execution.
@@ -48,7 +48,8 @@ Output destinations are configured using the format: `--output destinations.<nam
     - **digest-inode**: Most efficient, keys hash to container image digest and inode pair. Requires container enrichment.
   - **parse-arguments**: Parse event arguments into human-readable strings instead of raw machine-readable values.
   - **parse-arguments-fds**: Enable parse-arguments and enrich file descriptors with file path translation. May cause pipeline slowdowns.
-  - **sort-events**: Enable sorting events before passing them to output. May decrease overall program efficiency.
+
+- **sort-events**: Enable sorting events before passing them to output. May decrease overall program efficiency.
 
 ## EXAMPLES
 
diff --git a/docs/docs/outputs/output-options.md b/docs/docs/outputs/output-options.md
@@ -107,13 +107,12 @@ See the [Sorting Events](./sorting-events.md) documentation for details on how t
 **Configuration:**
 ```yaml
 output:
-  options:
-    sort-events: true
+  sort-events: true
 ```
 
 **CLI:**
 ```bash
-tracee --output option:sort-events
+tracee --output sort-events
 ```
 
 ## See Also
diff --git a/docs/docs/outputs/sorting-events.md b/docs/docs/outputs/sorting-events.md
@@ -7,15 +7,14 @@ The sorting feature sorts incoming events from the BPF programs chronologically
 Enable event sorting using the `sort-events` option:
 
 ```console
-tracee --output option:sort-events
+tracee --output sort-events
 ```
 
 Or in a configuration file:
 
 ```yaml
 output:
-  options:
-    sort-events: true
+  sort-events: true
 ```
 
 !!! Information
diff --git a/docs/docs/policies/usage/cli.md b/docs/docs/policies/usage/cli.md
@@ -117,7 +117,7 @@ output:
     exec-hash: dev-inode
     parse-arguments: true
     parse-arguments-fds: true
-    sort-events: true
+  sort-events: true
   destinations:
     - name: stdout
       format: json
diff --git a/docs/man/output.1 b/docs/man/output.1
@@ -6,7 +6,8 @@ tracee \f[B]\-\-output\f[R] \- Control how and where output is printed
 .SS SYNOPSIS
 tracee \f[B]\-\-output\f[R]
 destinations.\f[I]name\f[R].\f[I]field\f[R]=\f[I]value\f[R] |
-option:{stack\-addresses,exec\-env,exec\-hash[={inode,dev\-inode,digest\-inode}],parse\-arguments,parse\-arguments\-fds,sort\-events}
+option:{stack\-addresses,exec\-env,exec\-hash[={inode,dev\-inode,digest\-inode}],parse\-arguments,parse\-arguments\-fds} |
+sort\-events
 .SS DESCRIPTION
 The \f[B]\-\-output\f[R] flag allows you to control how and where the
 output is printed using destinations and output options.
@@ -42,7 +43,7 @@ template format
 protocol
 .SS Output Options
 .IP \[bu] 2
-\f[B]option:{stack\-addresses,exec\-env,exec\-hash,parse\-arguments,parse\-arguments\-fds,sort\-events}\f[R]:
+\f[B]option:{stack\-addresses,exec\-env,exec\-hash,parse\-arguments,parse\-arguments\-fds}\f[R]:
 Augment output according to the given options.
 Multiple options can be specified, separated by commas.
 .RS 2
@@ -81,11 +82,11 @@ strings instead of raw machine\-readable values.
 \f[B]parse\-arguments\-fds\f[R]: Enable parse\-arguments and enrich file
 descriptors with file path translation.
 May cause pipeline slowdowns.
+.RE
 .IP \[bu] 2
 \f[B]sort\-events\f[R]: Enable sorting events before passing them to
 output.
 May decrease overall program efficiency.
-.RE
 .SS EXAMPLES
 .IP \[bu] 2
 To output events as JSON to stdout using a destination named
diff --git a/examples/config/global_config.yaml b/examples/config/global_config.yaml
@@ -178,7 +178,7 @@ output:
     #     exec-hash: dev-inode     # Options: none, inode, dev-inode, digest-inode
     #     parse-arguments: true
     #     parse-arguments-fds: false
-    #     sort-events: false
+    # sort-events: false
 
 # Signatures directory for custom signatures
 signatures-dir: ""
diff --git a/pkg/cmd/flags/config_test.go b/pkg/cmd/flags/config_test.go
@@ -269,7 +269,7 @@ output:
     - option:exec-hash=dev-inode
     - option:parse-arguments
     - option:parse-arguments-fds
-    - option:sort-events
+    - sort-events
     - table:file1
     - json:file2    
     - gotemplate=template1:file3,file4    
@@ -282,7 +282,7 @@ output:
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
-				"option:sort-events",
+				"sort-events",
 				"table:file1",
 				"json:file2",
 				"gotemplate=template1:file3,file4",
diff --git a/pkg/cmd/flags/output.go b/pkg/cmd/flags/output.go
@@ -87,12 +87,12 @@ type OutputOptsConfig struct {
 	ExecHash          string `mapstructure:"exec-hash"`
 	ParseArguments    bool   `mapstructure:"parse-arguments"`
 	ParseArgumentsFDs bool   `mapstructure:"parse-arguments-fds"`
-	SortEvents        bool   `mapstructure:"sort-events"`
 }
 
 // OutputConfig is the config of the output.
 type OutputConfig struct {
 	Options      OutputOptsConfig     `mapstructure:"options"`
+	SortEvents   bool                 `mapstructure:"sort-events"`
 	Destinations []DestinationsConfig `mapstructure:"destinations"`
 	Streams      []StreamConfig       `mapstructure:"streams"`
 }
@@ -120,8 +120,8 @@ func (c *OutputConfig) flags() []string {
 	if c.Options.ParseArgumentsFDs {
 		flags = append(flags, fmt.Sprintf("%s:%s", optionFlag, parseArgumentsFDsFlag))
 	}
-	if c.Options.SortEvents {
-		flags = append(flags, fmt.Sprintf("%s:%s", optionFlag, sortEventsFlag))
+	if c.SortEvents {
+		flags = append(flags, sortEventsFlag)
 	}
 
 	// destinations
@@ -214,6 +214,11 @@ func PrepareOutput(outputSlice []string, containerMode config.ContainerMode) (*c
 				return nil, NoneOutputPathError()
 			}
 			destinationMap["stdout"] = "ignore"
+		case sortEventsFlag:
+			if len(outputParts) > 1 {
+				return nil, InvalidOutputFlagError(outputParts[0])
+			}
+			traceeConfig.EventsSorting = true
 		case tableFlag, jsonFlag:
 			err := parseFormat(outputParts, destinationMap)
 			if err != nil {
@@ -545,8 +550,6 @@ func SetOption(cfg *config.OutputConfig, option string) error {
 	case parseArgumentsFDsFlag:
 		cfg.ParseArgumentsFDs = true
 		cfg.ParseArguments = true // no point in parsing file descriptor args only
-	case sortEventsFlag:
-		cfg.EventsSorting = true
 	default:
 		if strings.HasPrefix(option, "exec-hash") {
 			hashExecParts := strings.Split(option, "=")
diff --git a/pkg/cmd/flags/output_test.go b/pkg/cmd/flags/output_test.go
@@ -404,7 +404,7 @@ func TestPrepareOutput(t *testing.T) {
 		},
 		{
 			testName:    "option sort-events",
-			outputSlice: []string{"option:sort-events"},
+			outputSlice: []string{"sort-events"},
 			expectedOutput: config.OutputConfig{
 				ParseArguments: true,
 				EventsSorting:  true,
@@ -427,7 +427,7 @@ func TestPrepareOutput(t *testing.T) {
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
-				"option:sort-events",
+				"sort-events",
 			},
 			expectedOutput: config.OutputConfig{
 				StackAddresses:    true,
@@ -876,11 +876,9 @@ func TestOutputConfig_flags(t *testing.T) {
 		{
 			name: "sort-events option only",
 			config: OutputConfig{
-				Options: OutputOptsConfig{
-					SortEvents: true,
-				},
+				SortEvents: true,
 			},
-			expected: []string{"option:sort-events"},
+			expected: []string{"sort-events"},
 		},
 		{
 			name: "all options",
@@ -892,8 +890,8 @@ func TestOutputConfig_flags(t *testing.T) {
 					ExecHash:          "inode",
 					ParseArguments:    true,
 					ParseArgumentsFDs: true,
-					SortEvents:        true,
 				},
+				SortEvents: true,
 			},
 			expected: []string{
 				"none",
@@ -902,7 +900,7 @@ func TestOutputConfig_flags(t *testing.T) {
 				"option:exec-hash=inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
-				"option:sort-events",
+				"sort-events",
 			},
 		},
 		{
diff --git a/tests/e2e-inst-signatures/e2e-proctree_data_source.go b/tests/e2e-inst-signatures/e2e-proctree_data_source.go
@@ -83,7 +83,7 @@ func (sig *e2eProcessTreeDataSource) OnEvent(event protocol.Event) error {
 		// ATTENTION: In order to have all the information in the data source,
 		// this signature needs to have tracee running with the following flags:
 		//
-		// * --output option:sort-events
+		// * --output sort-events
 		// * --stores process
 		// * --events PROCTREE_DATA_SOURCE
 
diff --git a/tests/e2e-inst-test.sh b/tests/e2e-inst-test.sh
@@ -330,7 +330,7 @@ print_test_header "START TRACE"
     -t "${TRACEE_STARTUP_TIMEOUT}" \
     -- \
     --signatures-dir "${SIG_DIR}" \
-    --output option:sort-events \
+    --output sort-events \
     --output option:parse-arguments \
     --stores process \
     --stores dns \
