feature removal suggestion: process relative time stamps (or: making event timestamps a standard)

[NDStrahilevitz]

Hey all.

As I'm working on code related to the event timestamps right now, I was struck by the option that no one is really using the relative time feature. The feature is currently enabled by appending the -o option:relative-time flag to tracee, or setting it in the config file. Once enabled, timestamp values in the event context and arguments are printed relative to the point in time in which tracee's process begun (so instead of ts: epoch_time_at_record -> ts: time_from_boot_at_record - tracee_recorded_starttime_from_boot).

I believe we have the following reasons to remove:

1. No intrinsic advantage over epoch time: relative time does not allow a comparison or timeline assessment of event occurence, especially given a crash/restart in a tracee daemonset. The only intrinsic advantage is a more or less precise duration from tracee's start, but even that can be approximated through the first event or other means on the host.
2. The plurality of timestamp outputs complicates the usage and implementation of ad-hoc analysis in the planned analyze mode (Analyze mode should support same (or similar) features as regular pipeline. #3520). The two solutions proposed for these are either "marking" the timestamp, such that any operation done on it can rely on the mark + awareness of ad-hoc analysis (which couples it to the notion of time), and/or relying on the tracee_info event which solely exists currently to inform of the state set for tracee in some pipeline work.
3. In contrast, it seems to me that by removing the relative time feature we could simply rely on the any event source converting its timestamps to epoch as standard. There will be no different outputs for events, anyone who wants to convert tracee event times to some "relative from" timestamp can do it on their own, per their requirements. Any addition of custom events will require, by standard, to set epoch timestamps on all relevant fields. This turns the issue of timestamps to an issue of standard compliance, and a compliance which is certainly possible.

Any thoughts? Any who are directly in favor or against?

[geyslan]

In contrast, it seems to me that by removing the relative time feature we could simply rely on the any event source converting its timestamps to epoch as standard. There will be no different outputs for events, anyone who wants to convert tracee event times to some "relative from" timestamp can do it on their own, per their requirements.

I believe that making epoch the unique standard is the path to take. As you mentioned there's no intrinsic benefit of getting only the relative time. Anyhoo, if one needs it, it can be calculated further based on epoch.

[itaysk]

SGTM