I have a metricbeat running on one place which is generating following metrics
host.network.ingress.bytes
but at different place (same version metricbeat) but different elastic cluster is not producting this metric. How do I enable this.
I read that it is ECS metrics
system module
network metircset
hmm, I already have that enable. I will try getting one container for testing to see what is happening.
- module: system
period: 1m
metricsets:
- cpu
- load
- memory
- network
- process_summary
- process
does this matric works only for container?
I would say opposite I would expect to when metricbeat is run directly on a host or full vm... But perhaps not in a thin container
This might not be related to your issue but just as a heads up -- I took a brief look at the code and it might be the case that the very first network metric emitted from the system network metrics excludes the host.network.* fields. When a minute passes and the second network metricset is emitted it should contain the host.network.* fields.
The Operating System reports these values as counters that always increase but the host metricset reports deltas so we have to wait to see 2 values before we can calculate and report a delta.
Can you share the metricbeat config as well as example network documents from each cluster?
in my test, I am receiving host.disk.write.bytes and host.disk.read.bytes. but not getting network. (using v8.5.3 for testing)
both config are identical. most probably the way both container has deploy or how they running metricbeat. I have contacted our local system admin guys to find out what are the difference between two deployment. where I get data from one but not from other.
Corrected Below.
I see the host.network.* fields in a document on my Mac running macOS 14.6.1 (23G93)
Metricbeat.yml
metricbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
output.console:
pretty: true
System.yml:
- module: system
period: 10s
metricsets:
- network
Will print a document for each interface and a summary document with the host.network.* fields:
./metricbeat
....
{
"@timestamp": "2024-12-11T21:52:33.659Z",
"@metadata": {
"beat": "metricbeat",
"type": "_doc",
"version": "8.16.1"
},
"event": {
"module": "system",
"duration": 17273208,
"dataset": "system.network"
},
"metricset": {
"period": 10000,
"name": "network"
},
"service": {
"type": "system"
},
"host": {
"name": "billeastons-MBP.ad.weaston.org",
"network": {
"ingress": {
"bytes": 5479,
"packets": 40
},
"egress": {
"packets": 210,
"bytes": 87902
}
}
},
"ecs": {
"version": "8.0.0"
},
"agent": {
"type": "metricbeat",
"version": "8.16.1",
"ephemeral_id": "cd61d6fb-25c6-4263-8130-78e3d7c750f1",
"id": "368def15-35c4-4d4e-834e-7e9879a6b653",
"name": "billeastons-MBP.ad.weaston.org"
}
}
Metricbeat creates it so that the infrastructure UI in the observability solution can consistently show network data without having to rely on rate counters and without having to handle rollover of counters. I don't believe it's platform-specific.
Yup I see it now on my normal linux host... and my mac.
What makes it a bit odd... it is not in the exported field list for system module
It is only in the ECS fields.
this is so weird. I am running all kind of different test but I don't get host.network.ingress
I do get host.disk.read.bytes means metricbeat is sending ECS stuff. but not network related data.
I am testing this by running logstash from command line and putting out put on screen.
I got my hand on metricbeat side, turn on debugging and got this
{"log.level":"debug","@timestamp":"2024-12-17T10:57:19.768-0600","log.logger":"publisher","log.origin":{"file.name":"pipeline/client.go","file.line":226},"message":"Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:2024-12-17 10:57:19.767232381 -0600 CST m=+60.264540632 Meta:null Fields:{\"event\":{\"dataset\":\"system.network\",\"duration\":305362,\"module\":\"system\"},\"host\":{\"network\":{\"egress\":{\"bytes\":1084701432,\"packets\":183003},\"ingress\":{\"bytes\":2304547302,\"packets\":216275}}},\"metricset\":{\"name\":\"network\",\"period\":60000},\"service\":{\"type\":\"system\"}} Private:<nil> TimeSeries:true}","service.name":"metricbeat","ecs.version":"1.6.0"}
ecs.version:1.6.0. is this correct version?
I am still not getting this metric at logstash though
metricbeat is version 8.5.3
How have you determined that this metric is not available in Logstash
What causes that...
finally it is working. I have no access to container where metricbeat running hence it is hard to tell you what they did. But as I suspect they was using some old library and or configuration. I had to debug on logstash/elastic side and due to all these post I was confident on telling them that there is something not correct on metricbeat side.
Now I get all metric and ecs version is correct as well
"ecs" => {
"version" => "8.0.0"
"host" => {
"name" => "host1",
"network" => {
"ingress" => {
"bytes" => 12066198482,
"packets" => 862634
},
"egress" => {
"bytes" => 64507225,
"packets" => 837701
}
}
What changed? What Config? Was it on the Metricbeat side?
yes on metricbeat side they just said they was using old config.
I ask for more specific. basically someone has started metricbeat on host system. they shut that down and kept only on VM. it was causing issue with it.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.