Question about Elasticsearch query

New to the community and not sure this is the best category for this question, but here goes:

We're trying to monitor CPU thresholds through Rules and Connectors with beats 7.16. We originally were doing this using Metric Threshold alerts. However, we now have a need to report to the top 10 CPU consumers and there doesn't seem to be a way to add that into a Metric Threshold rule.

I was pointed to using Elasticsearch Query, but I can't quite figure out how to write a query to look for a similar metric of average of system.cpu.total.norm.pct and then report the top N processes using high cpu. I have been pouring through documentation trying to find out the answer but, so far, no dice. I have found something akin to it in the ECS part of the docs, but don't know if this can be used in an Elasticsearch query rule. If someone could point me to documentation and/or syntactical examples of compounded queries, I would be very appreciative. Thanks in advance!

Update:

I have been working through what documentation I have been able to find, but unable to get the syntax to work. It appears the Elasticsearch Query DSL is not as comprehensive as Watcher. I can't seem to find a compounded field that will accept sort or size for the below process.

{
"query":{
"bool" : {
"must" :[
{"match" :{"host.name" : "hostname"}}
],
"should" :[
{"range" :{"system.cpu.total.norm.pct" :{"gte" :10}}},
{"match" :{"process.name":{"sort" : "desc", "size" :10}}}
]
}
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.