Metricbeat 7.0.1 Windows Module Services

Michi · May 17, 2019, 10:13am

I have a problem with the Metricbeat Windows module, I only want to monitor 5 specific services in the service monitoring. But it always transfers all events to Elasticsearch.
I've tried filtering like this in the example:
https://www.elastic.co/guide/en/beats/metricbeat/master/metricbeat-metricset-windows-service.html

processors:
    - drop_event.when.not.equals:
  windows.service.display_name: Windows Firewall

and like this one:

processors:
 -drop_event:
 when:
or: 
  not:
    equals:
       windows.service.name: XXX6
  not:
    equals:
      windows.service.name: XXX5
  not:
    equals:
      windows.service.name: XXX3
  not:
    equals:
      windows.service.name: XXX2
  not:
    equals:
      windows.service.name: XXXX1

What must be different for me to only receive events for the listed services?

and I have a second problem, I can't see on the dashboard how much space is left on the Windows partitions. Do I have to configure it in the Windows module or system and if so how?
The Metrictset filesystem and fsstat are active by default, but I still don't see how full/empty the partitions are in the dashboard. Seems that the information is missing.

Kaiyan_Sheng · May 28, 2019, 5:34pm

Hi @Michi, just curious if you gave and a try instead of or because it's not equals here. If we pass a windows.service.name which equals to XXX7, then it has to compare with all names listed above and if none of them matches, then drop that event.

Regarding to your second question, which metric exactly from metricbeat are you looking from the dashboard?

Michi · May 29, 2019, 7:01am

I try the and instead of or, but still all events (services statusses) are submitted

I want the partition size, the partitions are detected but its 0% all the time.
Unbenannt

Kaiyan_Sheng · May 30, 2019, 2:39pm

@Michi Hmmm I will spend some time today to try the drop_event. Regarding to the Disk Usage part, In your system.yml or metricbeat.yml, do you have filesystem metricset enabled?

Michi · May 31, 2019, 4:05am

Yes the filesystem metricset is enabled in system.yml.

Kaiyan_Sheng · June 5, 2019, 1:04am

Sorry for the late response! For disk usage problem, I was able to reproduce it and found out the Disk Usage visualization is displaying Top 10 system.filesystem.used.pct and Order by Doc Count instead of Order by Average of system.filesystem.used.pct. Also group by is using system.filesystem.mount_point instead of system.filesystem.device_name.

Also if you toggle the different options around, some data shows up Do you want to create an issue for this in github for this? Or I can do it tomorrow.

Michi · June 5, 2019, 4:23am

i created a issue on github: https://github.com/elastic/beats/issues/12435

system · July 3, 2019, 4:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need assistance on combined processors within metricbeat module Beats beats-module , metricbeat	2	324	February 9, 2021
Metricbeat 7.3 windows module sevice metricset filter error Beats metricbeat	1	365	August 29, 2019
Metricbeat windows module not working as expected Beats metricbeat	1	166	August 21, 2023
Unable to create a proper processor for windows module to filter certain services Beats windows , metricbeat	2	493	August 5, 2020
Metricbeat don't show "[Metricbeat Windows] Services" Beats metricbeat	1	429	January 4, 2021

Metricbeat 7.0.1 Windows Module Services

Related Topics