Metricbeat: how to add additional field based on path?

asp · February 17, 2017, 8:45am

Hi,

we have a shared servers, which means one server has multiple instances of our application installed, while each installation is used for a different stage. Means we are providing dev and qa environment on the same server.

Installation of the instances is separated by cloned and renamed path structure:
e:\dev...
e:\qa...

Additionally the processes are running by different users per stage and process.

We have a field "stage" which contains the information, if the event is for qa or dev. We have filter in our dashboard to switch between the stages, so we can reuse the dashboard for each stage.

Now, when logging process information using metricbeat, I need to check the full path or the username to determine the stage.

I did not find the exported full path, so I am going for the system.process.username field.
Because we are using javaServiceWrapper with relative path settings, I have not the absolute path in the cmdline field.

Now the questions:

How can I do a regex on a field in metricbeat and add a common field based on a conditional?
is there a way to get the full path of the process? This would be more generic.

Thanks, Andreas

ruflin · February 24, 2017, 2:15pm

Do you have one or multiple metricbeat instances running? Would this one help here? https://github.com/elastic/beats/pull/3639

asp · February 24, 2017, 4:39pm

we are running one metricbeat instance per server.

about your link. Not sure, maybe it helps, maybe not.

andrewkroh · February 24, 2017, 5:44pm

Sounds like we need a processor that can add tags or fields. This way you could apply a condition like

processors:
- add_fields:
    fields: { environment: staging }
    when.regexp.system.process.username: "^staging_.*"
- add_fields:
    fields: { environment: prod }
    when.regexp.system.process.username: "^production_.*"

And I think the enhancement for CWD would also help. It would give you a redundant way of determining which environment the process belongs to. But that enhancement is currently only for Linux.

system · March 10, 2017, 8:45am

This topic was automatically closed after 21 days. New replies are no longer allowed.