Filter out failed syscalls from strace log

I can run strace on a command like sleep 1 and see what files it's accessing like this: strace -e trace=file -o strace.log sleep 1 However, on my machine, many of the calls have a return value of -1 indicating that the file does not exist. For example: $ grep '= -1 ENOENT' strace.log | head access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) I'm not really interested in the files that don't exist, I want to know what files the process actually found and read from. Aside from grep -v '=-1 ENOENT', how can I reliably filter out failed calls? # Addendum # I was surprised to learn that strace has had this feature in the works since 2002 in the form of the -z flag, which is an alias for -e status=successful, fully functional [since version 5.2](https://github.com/strace/strace/commit/e45a594cb08394c96f71105db9bacf08aa4c734d) ([2019-07-12](https://github.com/strace/strace/releases/tag/v5.2)) , also available as --successful-only [since version 5.6](https://github.com/strace/strace/commit/092724f8041cdfb64dcaf68a2d8ba877b509ea83) ([2020-04-07](https://github.com/strace/strace/releases/tag/v5.6)) . Also available since version 5.2 is the complement of -z, the -Z flag, which is an alias for -e status=failed, available as --failed-only since version 5.6. The -z flag was [first added in a commit from 2002](https://github.com/strace/strace/commit/17f8fb3484e94976882f65b7a3aaffc6f24cd75d) and released in version 4.5.18 ([2008-08-28](https://github.com/strace/strace/releases/tag/v4.5.18)) , bit it had never been [documented](https://github.com/strace/strace/commit/de6e53308ca58da7d357f8114afc74fff7a18043) because it was not working properly. Relevant links: - only seeing successful system calls Sat Nov 2 23:07:23 UTC 2002 > When using strace I sometimes like to see the system calls which work (instead of all the system calls). > > I've been porting this patch for years, it seems very useful. > > With the -z option, you don't see opens on files which aren't there (very useful tracking down what a program actually does, instead of trying to do). https://lists.strace.io/pipermail/strace-devel/2002-November/000232.html - strace: -z option doesn't work properly Date: Sun, 12 Jan 2003 09:33:01 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=176376 - tracing only failing syscalls Created: 2004-03-19 https://sourceforge.net/p/strace/feature-requests/3/ - [strace-4.15] Proposal: Output Staging for -z Option (print successful syscalls only) / Patch included Tue Jan 17 09:35:54 UTC 2017 https://lists.strace.io/pipermail/strace-devel/2017-January/005941.html - [PATCH v1] Implemented output staging for failed/successful syscalls Wed Jan 18 16:01:20 UTC 2017 https://lists.strace.io/pipermail/strace-devel/2017-January/005950.html - Fix -z option Feb 28, 2018 https://github.com/strace/strace/issues/49 - [PATCH 0/3] Stage output for -z and new -Z options Mon Apr 1 21:13:02 UTC 2019 https://lists.strace.io/pipermail/strace-devel/2019-April/008706.html - strace -z flag Mon Jun 10 05:29:19 UTC 2019 https://lists.strace.io/pipermail/strace-devel/2019-June/008808.html