ElasticCloud - alert on disk usage using metricbeats

Elastic Stack Kibana
1

I'm struggling to understand how to define an alert for my hosts disk usage in elastic cloud.
The agent is installed on my different hosts with the "system" integration. Pretty sure this use metricbeats.

I can see this vizualisation here :

EQgzk
EQgzk1260×459 47.1 KB

However the disk usage use a couple of field to get it's percentage :

  • system.fsstat.total_size.total
  • system.fsstat.total_size.used

When I review that part of the dashboard I end up with this :

    {
      "size": 0,
      "query": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": "2022-05-12T08:47:46.895Z",
                  "lte": "2022-05-12T08:57:46.895Z",
                  "format": "strict_date_optional_time"
                }
              }
            },
            {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "bool": {
                      "should": [
                        {
                          "match_phrase": {
                            "data_stream.dataset": "system.fsstat"
                          }
                        }
                      ],
                      "minimum_should_match": 1
                    }
                  }
                ],
                "should": [],
                "must_not": []
              }
            }
          ],
          "filter": [],
          "should": [],
          "must_not": []
        }
      },
      "aggs": {
        "timeseries": {
          "auto_date_histogram": {
            "field": "@timestamp",
            "buckets": 1
          },
          "aggs": {
            "4e4dee91-4d1d-11e7-b5f2-2b7c1895bf32": {
              "filter": {
                "exists": {
                  "field": "system.fsstat.total_size.used"
                }
              },
              "aggs": {
                "docs": {
                  "top_hits": {
                    "size": 1,
                    "fields": [
                      "system.fsstat.total_size.used"
                    ],
                    "sort": [
                      {
                        "@timestamp": {
                          "order": "desc"
                        }
                      }
                    ]
                  }
                }
              }
            },
            "57c96ee0-4d54-11e7-b5f2-2b7c1895bf32": {
              "filter": {
                "exists": {
                  "field": "system.fsstat.total_size.total"
                }
              },
              "aggs": {
                "docs": {
                  "top_hits": {
                    "size": 1,
                    "fields": [
                      "system.fsstat.total_size.total"
                    ],
                    "sort": [
                      {
                        "@timestamp": {
                          "order": "desc"
                        }
                      }
                    ]
                  }
                }
              }
            }
          },
          "meta": {
            "timeField": "@timestamp",
            "panelId": "4e4dc780-4d1d-11e7-b5f2-2b7c1895bf32",
            "seriesId": "4e4dee90-4d1d-11e7-b5f2-2b7c1895bf32",
            "intervalString": "600000ms",
            "indexPatternString": "metrics-*",
            "normalized": true
          }
        }
      },
      "runtime_mappings": {}
    }

I want to create a threshold alert when the disk of any of my host reach, let's say 90%.
Threshold alert only takes one value, so I'm not able to create this alert.
Shoud I create a new field somewhere in metricbeats index or should I use a custom query alert ?

I'm quite new to ElasticCloud, I found a couple of solution using Python script etc but that seems a bit overkill for what I'm trying to achieve.

Hopefully someone will have a simple solution.

2

Hi @Thomas_Masquelier welcome to the community and thanks for trying Elastic Cloud.

Did you see this?

If you enable monitoring, these kind of alerts are out of the box.

3

Thanks for your reply.
However I'm not talking about monitoring my elastic deployment but I want to enable alerts for agents that are enrolled with my stack (VM's i'm monitoring with the "system" integration)

4

Apologies I was a bit confused... well then lets take a look

Here are the docs I would take a look at

First do you hosts that you are monitoring show up in the Metrics App

Screen Shot 2022-05-16 at 7.47.12 AM
Screen Shot 2022-05-16 at 7.47.12 AM2936×1682 410 KB

Screen Shot 2022-05-16 at 7.51.23 AM
Screen Shot 2022-05-16 at 7.51.23 AM1334×540 77.3 KB

Create A rule Note you can even create a Critical and Warning Levels

Screen Shot 2022-05-16 at 7.52.04 AM
Screen Shot 2022-05-16 at 7.52.04 AM1444×1562 230 KB

You will probably want to group by host.name so the alert is created by each host, and suppose you only wanted this to run against a certain subset of hosts you can provide a KQL filter

Screen Shot 2022-05-16 at 7.53.13 AM
Screen Shot 2022-05-16 at 7.53.13 AM1416×962 90.4 KB

Then Create an Action

Screen Shot 2022-05-16 at 7.57.07 AM
Screen Shot 2022-05-16 at 7.57.07 AM1466×1400 127 KB

Hope This Helps

5

Awesome,
I understood the way alerting was working however I didn't know the filed *.pct was actually a percentage already.

I tought I would need to create a field.

Thank you so much, this issue is now resolved :wink:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.