Event parsing - perf_data from cmkbeat

Robo · February 19, 2020, 3:23pm

Hello,
We are collecting some server metric using cmkbeat agent.
The output is available in following format:
perf_data: heap=8308.406693;15045.98125;15837.875;;15837.875 nonheap=582.264664;0;0;;0
perf_data: generic_number=4;80;90;;
perf_data: sessions=6338;10000;20000;;

The goal is to have following fields extracted from "perf_data" field:
metrics.metric_name: value (e.g. metrics.heap: 8308.406693)
metrics.metric_name.warn: warn_value (e.g. metrics.heap.warn: 15045.98125)
metrics.metric_name.crit: crit_value (e.g. metrics.heap.crit: 15837.875)
metrics.metric_name.min: min_value
metrics.metric_name.max: max_value

Case some value is missing, don't create field.

The main issue is that there are more than 40 different metric types, so my question is if there is any way how to extract field names and values from field "perf_data" dynamically (simply not to create 40 different grok patterns...)?

Thanks!

Robo · February 20, 2020, 8:53am

another solution might be to use existing metrics field created by cmkbeat and remove the second level field from field name.
Would that be possible?

data example in json:
"metrics": {
"ORA_PTSNSBS.SYS_USER_1_Tablespace": {
"size": "104857600",
"max_size": "104857600",
"size_warn": "94371840",
"size_crit": "99614720",
"used": "1114112"
}

current state:
metrics.ORA_PTSNSBS.SYS_USER_1_Tablespace.max_size: 104,857,600
desired state:
metrics.max_size: 104,857,600

in general it's possible to "rename" field [metrics][service][metric_name] to [metrics][metric_name] for all fields?

Badger · February 20, 2020, 3:12pm

You could do it in ruby. Something similar (but not the same) as this.

Robo · February 21, 2020, 12:44pm

hi Badger,
thanks for the hint, I'm not so familiar with ruby
I'll try to adapt it and update the topic here.

Robo · February 21, 2020, 2:03pm

this solved our issues.
At the end we renamed the original field "metrics" to "cmk_metrics", because of the fields removal.

ruby {
  code => '
    event.get("metrics").each { |k, v|
      event.set("cmk_beat",v)
    }
    event.remove("metrics")
    '
}

system · March 20, 2020, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Metrics plugin -> how to copy fields from source event? Logstash	2	500	July 6, 2017
Create custom metricbeat fields Beats metricbeat	3	673	May 27, 2019
Logstash grok to match the metricbeat type and add field Logstash	9	4490	April 4, 2018
Creating metrics from a filebeat input Logstash	1	280	May 31, 2020
Grok - how to add field with values from existing fields? Logstash	6	7871	February 3, 2018

Event parsing - perf_data from cmkbeat

Related topics