Process.name incomplete

wifi · October 2, 2020, 2:53pm

Somehow the process name gets cut off and i end up with process.name like "ansible-playboo" instead of "ansible-playbook"

It seems tat the name is cut off after the 15th character

I checked the mapping for process.name:

GET metricbeat-7.9.1-000008/_mapping/field/process.name

{
  "metricbeat-7.9.1-000008" : {
    "mappings" : {
      "process.name" : {
        "full_name" : "process.name",
        "mapping" : {
          "name" : {
            "type" : "keyword",
            "fields" : {
              "text" : {
                "type" : "text",
                "norms" : false
              }
            },
            "ignore_above" : 1024
          }
        }
      }
    }
  }
}

Can't see anything wrong... Any clues what the issue is?

Kaiyan_Sheng · October 5, 2020, 10:22pm

Hello! Are you using the metricbeat system module in this case? Could you share your config for the module please? Thank you!

wifi · October 6, 2020, 6:19am

here it is:

# Module: system
# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.8/metricbeat-module-system.html

- module: system
  period: 10s
  metricsets:
    - cpu
    - load
    - memory
    - network
    - process
    - process_summary
    - socket_summary
    #- entropy
    #- core
    #- diskio
    #- socket
    #- service
    #- users
  process.include_top_n:
    by_cpu: 5      # include top 5 processes by CPU
    by_memory: 5   # include top 5 processes by memory

- module: system
  period: 1m
  metricsets:
    - filesystem
    - fsstat
  processors:
  - drop_event.when.regexp:
      system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)'

- module: system
  period: 15m
  metricsets:
    - uptime

#- module: system
#  period: 5m
#  metricsets:
#    - raid
#  raid.mount_point: '/'

wifi · October 15, 2020, 12:37pm

An example document:

{
  "_index": "metricbeat-7.9.2-000003",
  "_type": "_doc",
  "_id": "t4k3J3UBGS9yby_KINOp",
  "_version": 1,
  "_score": null,
  "_source": {
    "@version": "1",
    "ecs": {
      "version": "1.5.0"
    },
    "tags": [
      "beats_input_raw_event"
    ],
    "service": {
      "type": "system"
    },
    "process": {
      "args": [
        "/usr/bin/python2",
        "/usr/bin/ansible-playbook",
        "--ask-vault-pass",
        "-i",
        "inventories/dev",
        "--skip-tags",
        "debug",
        "--tags",
        "install",
        "-e",
        "",
        "playbooks/filebeat.yml"
      ],
      "pid": 9628,
      "ppid": 9626,
      "pgid": 9606,
      "name": "ansible-playboo"
    },
    "metricset": {
      "period": 10000,
      "name": "process"
    },
    "system": {
      "process": {
        "memory": {
          "share": 5541888,
          "size": 467177472,
          "rss": {
            "pct": 0.002,
            "bytes": 66600960
          }
        },
        "state": "running",
        "cpu": {
          "start_time": "2020-10-14T13:04:14.000Z",
          "total": {
            "pct": 0.4792,
            "norm": {
              "pct": 0.0599
            },
            "value": 20800
          }
        },
        "cmdline": "/usr/bin/python2 /usr/bin/ansible-playbook --ask-vault-pass -i inventories/dev --skip-tags debug --tags install -e  playbooks/filebeat.yml"
      }
    },
    "@timestamp": "2020-10-14T13:05:24.435Z",
    "user": {
      "name": "faadmin"
    },
    "host": {
      "architecture": "x86_64",
      "hostname": "my_kibana_server",
      "ip": [
        "10.128.113.8",
        "fe80::250:56ff:fe3e:724"
      ],
      "mac": [
        "00:50:56:3e:07:24"
      ],
      "name": "my_kibana_server",
      "os": {
        "family": "redhat",
        "version": "7.9 (Maipo)",
        "codename": "Maipo",
        "name": "Red Hat Enterprise Linux Server",
        "platform": "rhel",
        "kernel": "3.10.0-1160.2.1.el7.x86_64"
      },
      "containerized": false,
      "id": "30f130795bbc40239af1345f312f1319"
    },
    "event": {
      "module": "system",
      "duration": 63018385,
      "dataset": "system.process"
    },
    "agent": {
      "hostname": "my_kibana_server",
      "name": "my_kibana_server",
      "type": "metricbeat",
      "version": "7.9.2",
      "ephemeral_id": "dd4c76bf-42a5-40b4-b5f9-5546a3aab142",
      "id": "780381de-2def-4cdb-9df0-3e7806ebcf96"
    }
  },
  "fields": {
    "system.process.cpu.start_time": [
      "2020-10-14T13:04:14.000Z"
    ],
    "@timestamp": [
      "2020-10-14T13:05:24.435Z"
    ]
  },
  "highlight": {
    "process.name": [
      "@kibana-highlighted-field@ansible-playboo@/kibana-highlighted-field@"
    ],
    "mongodb.status.process": [
      "@kibana-highlighted-field@ansible-playboo@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1602680724435
  ]
}

wifi · October 15, 2020, 1:42pm

there has been a similar issue in the past:

Kaiyan_Sheng · November 3, 2020, 8:13pm

I was able to reproduce this problem on my MacBook and I just created a github issue for fixing this! Thank you so much and so sorry for the delay!! https://github.com/elastic/beats/issues/22404

system · December 1, 2020, 10:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Metricbeat] system.process.cmdline often missing Beats	3	818	April 25, 2017
System process informamtion logged wrong? Beats metricbeat	2	295	May 20, 2020
Metricbeat system module, processes seems to only see metricbeat.exe Beats metricbeat	5	994	January 1, 2019
Issues with process monitoration Beats metricbeat	3	1291	November 18, 2016
Metricbeat Process information Beats metricbeat	6	349	January 13, 2021

Process.name incomplete

Related topics