TOP N processes (System process metrics)

Rafa_Silva · March 9, 2026, 1:02am

Hi Fabian

Elastic Agent does not maintain a table for 60 seconds and then calculate the sum for all processes.

At every collection interval (in your example 60s), the System integration:
. Reads the CPU counters for all running processes from the OS.
. Calculates the CPU usage delta since the previous collection for each process.
. Normalizes the value by the number of CPU cores (system.process.cpu.total.norm.pct).
. Sorts the processes by CPU usage.
. Keeps and sends only the Top N processes (Top 15 in your example).

So the Top N selection happens at each collection cycle, based on the CPU usage between the last two samples, not on an accumulated table over the whole 60-second window.

Topic		Replies	Views
System.cpu.total.norm.pct different of the sum system.process.cpu.total.norm.pct Beats metricbeat	4	3562	February 15, 2021
Getting aggregated view of 100% CPU across all dashboard views for windows server Beats metricbeat	5	1264	June 4, 2018
Unable to Visualise Metricbeat system.process.CPU data Beats metricbeat	1	2370	November 21, 2017
How do I modify collect specific processes and top 10 processes in metricbeat's system module? Elasticsearch	3	848	June 4, 2021
I have created a Kibana dashboard for Top 10 Process by CPU Usage , the data is not coming up for 15 or 30 minutes or even for 1 hour Kibana	4	483	April 27, 2023

TOP N processes (System process metrics)

Related topics