Add_field per instance of permon metricset

Elastic Stack Beats
1

Hello,

The following does not seem to work?

- module: windows
  metricsets: [perfmon]
  period: 10s
  perfmon.ignore_non_existent_counters: true
  perfmon.group_measurements_by_instance: true
  perfmon.counters:
    - instance_label: processor.name
      instance_name: total
      measurement_label: processor.time.total.pct
      query: '\Processor Information(_Total)\% Processor Time'
    
    - instance_label: logical_disk.name
      measurement_label: logical_disk.disk_time.pct
      query: '\LogicalDisk(*)\% Disk Time'
      processors:
      - add_fields:
          fields:
            metricset.counter: logical_disk
              
    - instance_label: logical_disk.name
      measurement_label: logical_disk.avg_disk_queue_length
      query: '\LogicalDisk(*)\Avg. Disk Queue Length'
      processors:
      - add_fields:
          fields:
            metricset.counter: logical_disk

Is there a way to use the add_field processor per instance in the perfmon module? We would like to monitor some mssql performance counters and add the name of the database in a custom field. That way we can aggregate counters per host per database. If this is not possible, should I make a feature request?

Tx!

Grtz

Willem

2

It looks like processors allow conditions:
https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html
https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#conditions

can you add conditions based on the data you are receiving?

3

Hi,

as a colleague of Willem I'm also investigating this and I tried the following

- module: windows
  metricsets: [perfmon]
  period: 10s
  perfmon.ignore_non_existent_counters: true
  perfmon.group_measurements_by_instance: true
  perfmon.counters:
    - instance_label: processor.name
      instance_name: total
      measurement_label: processor.time.total.pct
      query: '\Processor Information(_Total)\% Processor Time'
    
    - instance_label: logical_disk.name
      measurement_label: logical_disk.disk_time.pct
      query: '\LogicalDisk(*)\% Disk Time'
              
    - instance_label: logical_disk.name
      measurement_label: logical_disk.avg_disk_queue_length
      query: '\LogicalDisk(*)\Avg. Disk Queue Length'
  processors:
    - add_fields:
        when.equals:
          instance_label: logical_disk.name
        fields:
          metricset.counter: testfield

I also tried with perfmon.counters.instance_label or putting the logical_disk.name between quotes but that doesn't work.
FYI, without the when.equals part "fields.metricset.counter" is added with value "testfield".

We think the issue we have is that the condition needs to meet the key instead of the value.
The field actually results in "windows.perfmon.logical_disk.name".
I think we need something like:

when.exists:
  windows.perfmon.logical_disk.name

Kind regards,
Peter

4

Ok, we found this, tested it and it works:

- module: windows
  metricsets: [perfmon]
  period: 10s
  perfmon.ignore_non_existent_counters: true
  perfmon.group_measurements_by_instance: true
  perfmon.counters:
    - instance_label: processor.name
      instance_name: total
      measurement_label: processor.time.total.pct
      query: '\Processor Information(_Total)\% Processor Time'
    
    - instance_label: logical_disk.name
      measurement_label: logical_disk.disk_time.pct
      query: '\LogicalDisk(*)\% Disk Time'
              
    - instance_label: logical_disk.name
      measurement_label: logical_disk.avg_disk_queue_length
      query: '\LogicalDisk(*)\Avg. Disk Queue Length'
  processors:
    - add_fields:
        when.has_fields:
          ['windows.perfmon.logical_disk.name']
        fields:
          metricset.counter: logical_disk
5

@pmercado Just a small question => Any idea when the perfmon module would come out of beta? We are a bit reluctant to use beta features on a large scale. But perfmon is such an important part for Windows monitoring, we kind of really need it. . Tx!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.