Metricbeat yaml drop_event.when.regexp.mount_point filter not working as expected not working as expected

Elastic Stack Beats
1

Hi there

I am using metricbeat to monitor storage for a specific mount_point on Linux machine. In order to get to data for that mount_point I am using the drop_event.when.regexp.mount_point filter in the metricbeat.yaml.

Here is the filter config. I want all the mount_points other than '/' to be filtered out from the beats output.

- module: system
  enabled: true
  period: 10s
  metricsets:
    - cpu
    - memory
    - filesystem
  filters:
    - drop_event.when.regexp.mount_point: '/[a-zA-Z0-9//]+'

This solution does not work on Ubuntu 14.0.04 machine. No matter what RegEx I use I get data for all mount_points on the system which are

"mount_point":"/"
"mount_point":"/run/shm"
"mount_point":"/run/user"
"mount_point":"/boot"
"mount_point":"/sys/fs/cgroup"

Here is the output from the metricbeat logs where it parses that RegEx. Let me know if you need any further details from my side.

2018-03-22T14:58:06-07:00 DBG New condition regexp: map[mount_point:/[/-9A-Za-z]+]
2018-03-22T14:58:06-07:00 DBG Processors: drop_event, condition=regexp: map[mount_point:/[/-9A-Za-z]+]

Please help.

thanks..Naveen Gauba

2

What Metricbeat version are you using? And have you seen the filtering examples?

3

The version of metricbeat we are using is 6.0.0. I see that the example you pointed configures the filter differently. I tried that and failed. Will try that again and respond shortly.

4

This time I tried with the example you pointed. But this did not work either. I still see MB monitoring the mount points such as /dev, /dev/pts etc

metricbeat.modules:

  • module: system
    period: 30s
    metricsets: ["filesystem"]
    processors:
    • drop_event.when.regexp:
      system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)'

Also I did not see the log message with the mount_point regex in the logs.

Looks like this is the only filter configuration that is actually processed by the system. As I can see the log messages reading the same. Hoever it does not really excludes the mount_points.

#------------------------------- System Module -------------------------------

  • module: system
    enabled: true
    period: 10s
    metricsets:
    • filesystem
      filters:
    • drop_event.when.regexp.mount_point: '^/(sys|cgroup|proc|dev|etc|host)($|/)'

Here is the log snippet.

2018-03-22T17:01:17-07:00 DBG Initializing Module type 'system': *system.Module={name:"system", config:{Module:"system", MetricSets:[filesystem], Enabled:true, Hosts:[0 hosts], Period:"10s", Timeout:"10s", Raw:false, Fields:null, FieldsUnderRoot:false, Tags:[]}}
2018-03-22T17:01:17-07:00 DBG New condition regexp: map[mount_point:\A/(?:sys|cgroup|proc|dev|etc|host)(?:(?-m:$)|/)]
2018-03-22T17:01:17-07:00 DBG Processors: drop_event, condition=regexp: map[mount_point:\A/(?:sys|cgroup|proc|dev|etc|host)(?:(?-m:$)|/)]

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.