ElasticCloud - alert on disk usage using metricbeats

Thomas_Masquelier · May 13, 2022, 9:58am

I'm struggling to understand how to define an alert for my hosts disk usage in elastic cloud.
The agent is installed on my different hosts with the "system" integration. Pretty sure this use metricbeats.

I can see this vizualisation here :

However the disk usage use a couple of field to get it's percentage :

system.fsstat.total_size.total
system.fsstat.total_size.used

When I review that part of the dashboard I end up with this :

    {
      "size": 0,
      "query": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": "2022-05-12T08:47:46.895Z",
                  "lte": "2022-05-12T08:57:46.895Z",
                  "format": "strict_date_optional_time"
                }
              }
            },
            {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "bool": {
                      "should": [
                        {
                          "match_phrase": {
                            "data_stream.dataset": "system.fsstat"
                          }
                        }
                      ],
                      "minimum_should_match": 1
                    }
                  }
                ],
                "should": [],
                "must_not": []
              }
            }
          ],
          "filter": [],
          "should": [],
          "must_not": []
        }
      },
      "aggs": {
        "timeseries": {
          "auto_date_histogram": {
            "field": "@timestamp",
            "buckets": 1
          },
          "aggs": {
            "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32": {
              "filter": {
                "exists": {
                  "field": "system.fsstat.total_size.used"
                }
              },
              "aggs": {
                "docs": {
                  "top_hits": {
                    "size": 1,
                    "fields": [
                      "system.fsstat.total_size.used"
                    ],
                    "sort": [
                      {
                        "@timestamp": {
                          "order": "desc"
                        }
                      }
                    ]
                  }
                }
              }
            },
            "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32": {
              "filter": {
                "exists": {
                  "field": "system.fsstat.total_size.total"
                }
              },
              "aggs": {
                "docs": {
                  "top_hits": {
                    "size": 1,
                    "fields": [
                      "system.fsstat.total_size.total"
                    ],
                    "sort": [
                      {
                        "@timestamp": {
                          "order": "desc"
                        }
                      }
                    ]
                  }
                }
              }
            }
          },
          "meta": {
            "timeField": "@timestamp",
            "panelId": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32",
            "seriesId": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32",
            "intervalString": "600000ms",
            "indexPatternString": "metrics-*",
            "normalized": true
          }
        }
      },
      "runtime_mappings": {}
    }

I want to create a threshold alert when the disk of any of my host reach, let's say 90%.
Threshold alert only takes one value, so I'm not able to create this alert.
Shoud I create a new field somewhere in metricbeats index or should I use a custom query alert ?

I'm quite new to ElasticCloud, I found a couple of solution using Python script etc but that seems a bit overkill for what I'm trying to achieve.

Hopefully someone will have a simple solution.

stephenb · May 14, 2022, 10:04pm

Hi @Thomas_Masquelier welcome to the community and thanks for trying Elastic Cloud.

Did you see this?

If you enable monitoring, these kind of alerts are out of the box.

Thomas_Masquelier · May 16, 2022, 8:31am

Thanks for your reply.
However I'm not talking about monitoring my elastic deployment but I want to enable alerts for agents that are enrolled with my stack (VM's i'm monitoring with the "system" integration)

stephenb · May 16, 2022, 2:57pm

Apologies I was a bit confused... well then lets take a look

Here are the docs I would take a look at

First do you hosts that you are monitoring show up in the Metrics App

Create A rule Note you can even create a Critical and Warning Levels

You will probably want to group by host.name so the alert is created by each host, and suppose you only wanted this to run against a certain subset of hosts you can provide a KQL filter

Then Create an Action

Hope This Helps

Thomas_Masquelier · May 19, 2022, 1:12pm

Awesome,
I understood the way alerting was working however I didn't know the filed *.pct was actually a percentage already.

I tought I would need to create a field.

Thank you so much, this issue is now resolved

system · June 16, 2022, 1:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.