I'm trying to create an alert that is triggered when usage for any mount point on any server is in excess of 80%.
When creating a threshold alert under Watcher, I'm looking at getting the average of system.filesystem.used.pct and group this by both terms and system.filesystem.mount_point (which does not appear to be present in the drop-down menus at all). However, it does not appear that I can enter this type of contruct in the GUI.
Does this sort of query need to be configured via JSON directly or am I missing a trick here? If it must be in JSON, could anybody offer any examples?
The problem I have with these examples is that they display filesystem usage as a total of all volumes rather than single volumes (i.e. 80% on Disk C on Host A).
It seems like I am missing fields such as mount point or device to present the granularity I want?
Will spend some more time playing with this today and see where I get.
you can have the granularity per host per mount point by using terms aggregations that split per host and then per mountpoint. This information exists as part of the metricbeat data.
that is exactly what I did for the visualisations and it worked like a charm, but the same fields are not present when I try to create a new threshold alert using the GUI. This is why I am guessing that everything needs to be written in raw JSON?
I think writing a raw watch outside of the threshold UI might be easier, as you need more than one layer of aggregations - I am not sure this works with the threshold UI (my UI skills are limited though).
I'm looking at an alternative approach - using perfmon counters via the windows module in Metricbeat. I believe I have the syntax correct (?) for querying the LogicalDisk:%FreeSpace counter, but there's still no evidence of it in being available in the indexes. I've added the following to metricbeat.yml as a test:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.