I just want to monitor user processed using metricbeat
currently it is giving me all the system process as well like kworker, systemd etc...
how do I drop them? I think drop_event in system.yml file needs to be set. but I do not understand it correctly.
Have you tried using the processes setting of the system/process metricset? https://www.elastic.co/guide/en/beats/metricbeat/6.8/metricbeat-metricset-system-process.html#_configuration_10
there is no exclude event or drop event on that document page
Right, I was thinking you could use the processes setting to define the list of user processes you are interested in monitoring, unless you want to monitor all user processes?
No I want to do it other way around. I want to grab everything from system which is not user = root
Got it, thanks.
If you look at the event produced by the system/process metricset (example event is shown on https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-process.html), you'll see that there's a user.name field in the event. You can then use the drop_event processor to drop events with user.name equal to root: https://www.elastic.co/guide/en/beats/metricbeat/current/drop-event.html.
Perfect. worked
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.