Event parsing - perf_data from cmkbeat

Robo · February 19, 2020, 3:23pm

Hello,
We are collecting some server metric using cmkbeat agent.
The output is available in following format:
perf_data: heap=8308.406693;15045.98125;15837.875;;15837.875 nonheap=582.264664;0;0;;0
perf_data: generic_number=4;80;90;;
perf_data: sessions=6338;10000;20000;;

The goal is to have following fields extracted from "perf_data" field:
metrics.metric_name: value (e.g. metrics.heap: 8308.406693)
metrics.metric_name.warn: warn_value (e.g. metrics.heap.warn: 15045.98125)
metrics.metric_name.crit: crit_value (e.g. metrics.heap.crit: 15837.875)
metrics.metric_name.min: min_value
metrics.metric_name.max: max_value

Case some value is missing, don't create field.

The main issue is that there are more than 40 different metric types, so my question is if there is any way how to extract field names and values from field "perf_data" dynamically (simply not to create 40 different grok patterns...)?

Thanks!

Robo · February 20, 2020, 8:53am

another solution might be to use existing metrics field created by cmkbeat and remove the second level field from field name.
Would that be possible?

data example in json:
"metrics": {
"ORA_PTSNSBS.SYS_USER_1_Tablespace": {
"size": "104857600",
"max_size": "104857600",
"size_warn": "94371840",
"size_crit": "99614720",
"used": "1114112"
}

current state:
metrics.ORA_PTSNSBS.SYS_USER_1_Tablespace.max_size: 104,857,600
desired state:
metrics.max_size: 104,857,600

in general it's possible to "rename" field [metrics][service][metric_name] to [metrics][metric_name] for all fields?

Badger · February 20, 2020, 3:12pm

You could do it in ruby. Something similar (but not the same) as this.

Robo · February 21, 2020, 12:44pm

hi Badger,
thanks for the hint, I'm not so familiar with ruby
I'll try to adapt it and update the topic here.

Robo · February 21, 2020, 2:03pm

this solved our issues.
At the end we renamed the original field "metrics" to "cmk_metrics", because of the fields removal.

ruby {
  code => '
    event.get("metrics").each { |k, v|
      event.set("cmk_beat",v)
    }
    event.remove("metrics")
    '
}

system · March 20, 2020, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating metrics from a filebeat input Logstash	1	280	May 31, 2020
Create New Fields from Metricbeat Metrics	1	461	April 8, 2022
Convert type of custom fields added via metricbeat processors Beats metricbeat	6	374	March 2, 2020
How to parse json from message field Beats filebeat	4	1106	February 8, 2024
How to Convert array fields from beats to compatible array fields of Splunk HEC input viai Logstash Beats metricbeat	1	263	October 19, 2021

Event parsing - perf_data from cmkbeat

Related Topics