Topbeat _p fields on Windows hosts

meons · February 24, 2016, 7:47pm

Hi there,
I have deployed Topbeat on some Windows 7 hosts but I see a problem when I analyse logs in Kibana:
proc.mem.rss and proc.cpu.user fields recieve the correct data from hosts but proc.mem.rss_p and proc.cpu.user_p always have a 0 value, so I can't create graphs with percentages. I don't understand why those fields are not filled...

I have an another question about this page https://www.elastic.co/guide/en/beats/topbeat/current/_step_6_loading_sample_kibana_dashboards.html#_example_of_a_system_wide_overview Could you explain me how it's possible to have a value greater that 1 in column Average proc.mem.rss_p (value 2.3 for line topbeat.exe -> 230% ?!)

andrewkroh · February 29, 2016, 2:33am

Most of my values are zero too, but not all of them. Try using the following query in Kibana to see if there are any.

type:process AND (proc.cpu.user_p:>0 OR proc.mem.rss_p:>0)

Here a data point from Topbeat 1.1.1 running on Windows 7 where both proc.cpu.user_p > 0 and proc.mem.rss_p > 0.

{
    "@timestamp": "2016-02-29T02:05:35.127Z",
    "beat": {
      "hostname": "win7-on-osx",
      "name": "win7-on-osx"
    },
    "count": 1,
    "proc": {
      "cpu": {
        "user": 3734,
        "user_p": 0.07,
        "system": 1609,
        "total": 5343,
        "start_time": "Aug09"
      },
      "mem": {
        "size": 36691968,
        "rss": 64774144,
        "rss_p": 0.03,
        "share": 0
      },
      "name": "chrome.exe",
      "pid": 11120,
      "ppid": 0,
      "state": "running"
    },
    "type": "process"
  }

We have made a change (not released yet) to increase the precision on the CPU percentage to 4 decimal places. With version 1.1.1 the percentage is just 2 decimal places, so a lot of the time CPU percentage ends up as 0 because it's less than 0.05 and it rounds down. There was no change to rss_p.

I haven't seen this in my data. I just did a search over the last 30 days for values greater that 1. Maybe that image was generated from an old version (@monica do you know?). If you see that problem in your data, report it here.

meons · March 3, 2016, 6:34pm

Thank you for your response @andrewkroh
Topbeat is installed on 7 hosts and send data every 1 min. If I try your query (proc.cpu.user_p:>0 OR proc.mem.rss_p:>0) I get only 7 hits with "Last 24 hours" timestamp and 35 hits with "Last 7 days" timestamp, it's really poor compared to expected result.
One more thing to give you all information. Topbeat is configured to send data to a Logstash server (input beats) where I just add some fields (filter) brefore forward it to Elasticsearch (output elastic). So I don't think that's linked with my issue.
Do you have any other ideas for this issue?

About the 2nd issue I didn't see that in my data but I just was surprised when I saw this value because it's not logical. Anyway I will let you know if I see something like that in prod.