Glad you found it...
This is often confused... I have helped many others with this functionality is not always clear ...
Turning on ALL the process can significantly increase the number of metrics you collect
I suggest you look CLOSELY at these settings as they are easily miss-understood
Example
process.include_top_n.enabled
Set to false to disable the top N feature and include all processes, regardless of the other options. The default istrue, but nothing is filtered unless one of the other options (by_cpuorby_memory) is set to a non-zero value.
You removed the two lines that disable filtering, but the Top N feature is still enabled without filtering—this is a minor distinction. I use this setting when I want to include the filter while being able to toggle the Top N feature on or off.
There are whitelist options and other methods for filtering available.
Additionally, you can actually apply more than one metricset definition, allowing you to have both Top N and a specific named set at the same time. Please refer to this thread for more information: Metricbeat doesn't recognize the process - #4 by stephenb.
Example
- module: system
period: 10s
metricsets: ['process']
process.include_top_n:
by_cpu: 5 # include top 5 processes by CPU
by_memory: 5 # include top 5 processes by memory
- module: system
period: 10s
metricsets: ['process']
processes: ['^sysmon*']
So, take some time to think about what you really need, and we can likely help you customize it to your requirements.