How to add multiple metricbeat parameter to query

Elastic Stack Beats
1

Hi,

I want to expose endpoint of Metricbeat system parameters (Same as KIBANA) with the help of NEST to create a page similar to KIBANA dashboard in my application. I want to fetch all the parameters like CPU, Memory, diskio etc. I write following query which gives me latest one hit for cpu parameter

get /metricbeat*/_search?pretty=true
{"size":1,
 "query":{"bool":{"must": [{"range": {"system.cpu.idle.pct": {"gte": 0}}}]}},
   "sort":[{"@timestamp": {"order": "desc"}}]}

I want to add memoery, diskio and some more parameter to it so I get on hit per parameter. I tried to add by this way but no luck

{"range": {"system.cpu.idle.pct": {"gte": 0}}}, {"range": {"system.memory.used.pct": {"gte": 0}}}

Please suggest how to implement it.

2

Hi!

I would suggest to create the search you want in Kibana and then Inspect it in order to take the query and reuse it in your app.

3

Will you please elaborate more on how to do that ?

4

Hey,

have a look at https://www.elastic.co/guide/en/kibana/master/save-open-search.html.

After you have saved a search you can inspect this and see the source query. For instance:

14
Screenshot 2019-12-13 at 10.56.14.png1577×813 92 KB

5

Thanks Chris,

Sorry for late reply, I was busy with other stuff for time being.

I found your suggestion very helpful and write my query with multiple fields now.
Eventually , I found that query gives me result if I club same metricset name fields like memory or CPU. like:
{"range": {
"system.cpu.iowait.pct": {
"gte": 0,
"lt": 1
} }},
{"range": {
"system.cpu.idle.pct": {
"gte": 0,
"lt": 1 }}},

But if I add different metricset name than it wont give anything
{ "range": {
"system.memory.actual.used.pct": {
"gte": 0,
"lt": 1
}}},
{"range": {
"system.cpu.idle.pct": {
"gte": 0,
"lt": 1}}}

Here I add 'Memory' type with 'CPU' so query result is empty

image
image1020×665 32.2 KB

My objective is to get all system parameters of metricset.name.

6

Actully I want to return % in below screen should return by my endpoints.

Untitled2

7

Hi!

Glad that you found inspecting useful!

For your question now I would suggest something like this:

Screenshot 2019-12-17 at 10.20.27
Screenshot 2019-12-17 at 10.20.271577×813 121 KB

However since your question tends to be more Elasticsearch oriented, you could also ask in Elasticsearch's forum so as to get the most optimised query for your purposes.

Thanks!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.