Event parsing - perf_data from cmkbeat

Hello,
We are collecting some server metric using cmkbeat agent.
The output is available in following format:
perf_data: heap=8308.406693;15045.98125;15837.875;;15837.875 nonheap=582.264664;0;0;;0
perf_data: generic_number=4;80;90;;
perf_data: sessions=6338;10000;20000;;

The goal is to have following fields extracted from "perf_data" field:
metrics.metric_name: value (e.g. metrics.heap: 8308.406693)
metrics.metric_name.warn: warn_value (e.g. metrics.heap.warn: 15045.98125)
metrics.metric_name.crit: crit_value (e.g. metrics.heap.crit: 15837.875)
metrics.metric_name.min: min_value
metrics.metric_name.max: max_value

Case some value is missing, don't create field.

The main issue is that there are more than 40 different metric types, so my question is if there is any way how to extract field names and values from field "perf_data" dynamically (simply not to create 40 different grok patterns...)?

Thanks!

another solution might be to use existing metrics field created by cmkbeat and remove the second level field from field name.
Would that be possible?

data example in json:
"metrics": {
"ORA_PTSNSBS.SYS_USER_1_Tablespace": {
"size": "104857600",
"max_size": "104857600",
"size_warn": "94371840",
"size_crit": "99614720",
"used": "1114112"
}

current state:
metrics.ORA_PTSNSBS.SYS_USER_1_Tablespace.max_size: 104,857,600
desired state:
metrics.max_size: 104,857,600

in general it's possible to "rename" field [metrics][service][metric_name] to [metrics][metric_name] for all fields?

You could do it in ruby. Something similar (but not the same) as this.

hi Badger,
thanks for the hint, I'm not so familiar with ruby :slight_smile:
I'll try to adapt it and update the topic here.

this solved our issues.
At the end we renamed the original field "metrics" to "cmk_metrics", because of the fields removal.

ruby {
  code => '
    event.get("metrics").each { |k, v|
      event.set("cmk_beat",v)
    }
    event.remove("metrics")
    '
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.