Hi
I am using Elastic stack 7.8.1 and trying to create a table summarizing Linux processes info based on metricbeat (all uses default configuration).
The system metric are collected each 60 seconds and the summary table which presents all processes info calculates average of CPU usage for last 1h and then splits it into buckets per process id like shown in the screenshot. For some unclear (to me) reason some (not all) processes show system.process.cmdline empty (aggregation marks it as missing) while I do see the field with correct cmdline values when I run queries in 'Discovery'
You are using a terms aggregation to display the value of system.process.cmdline. This means it's using the indexed value of this keyword field. There is a limit in the mapping for these called ignore_above: https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html
You can check your mapping to get the actual value, but it seems like system.process.cmdline is sometimes above that limit. In discover you can see the value because it's not relying on the index but on the separately stored _source object.
There are two things you could do:
- Change the
ignore_abovevalue to something higher and re-index existing data. - Change the mapping to store
system.process.cmdlineas typetextas well if it's not happening already, then refresh the index pattern and use a "Top Hit" metric aggregation instead of a "Terms" bucket aggregation to show the value ofsystem.process.cmdlinein your table. In this case there is no limit to the length
Thumb up. Your explanation completely makes sense. I followed your advice and it works now as expected. Appreciate your assistance. Thanks a lot.
Igor
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.