System process metricset

edit

The System process metricset provides process statistics. One document is provided for each process.

This metricset is available on:

  • FreeBSD
  • Linux
  • macOS
  • Windows

Configuration

edit
processes

When the process metricset is enabled, you can use the processes option to define a list of regexp expressions to filter the processes that are reported. For more complex filtering, you should use the processors configuration option. See Processors for more information.

The following example config returns metrics for all processes:

metricbeat.modules:
- module: system
  metricsets: ["process"]
  processes: ['.*']
process.cgroups.enabled

When the process metricset is enabled, you can use this boolean configuration option to disable cgroup metrics. By default cgroup metrics collection is enabled.

The following example config disables cgroup metrics on Linux.

metricbeat.modules:
- module: system
  metricsets: ["process"]
  process.cgroups.enabled: false
process.cmdline.cache.enabled
This metricset caches the command line args for a running process by default. This means if you alter the command line for a process while this metricset is running, these changes are not detected. Caching can be disabled by setting process.cmdline.cache.enabled: false in the configuration.
process.env.whitelist

This metricset can collect the environment variables that were used to start the process. This feature is available on Linux, Darwin, and FreeBSD. No environment variables are collected by default because they could contain sensitive information. You must configure the environment variables that you wish to collect by specifying a list of regular expressions that match the variable name.

metricbeat.modules:
- module: system
  metricsets: ["process"]
  process.env.whitelist:
  - '^PATH$'
  - '^SSH_.*'
process.include_cpu_ticks

By default the cumulative CPU tick values are not reported by this metricset (only percentages are reported). Setting this option to true will enable the reporting of the raw CPU tick values (for user, system, and total CPU time).

metricbeat.modules:
- module: system
  metricsets: ["process"]
  process.include_cpu_ticks: true
process.include_per_cpu
By default metrics per cpu are reported when available. Setting this option to false will disable the reporting of these metrics.
process.include_top_n
These options allow you to filter out all processes that are not in the top N by CPU or memory, in order to reduce the number of documents created. If both the by_cpu and by_memory options are used, the union of the two sets is included.
process.include_top_n.enabled
Set to false to disable the top N feature and include all processes, regardless of the other options. The default is true, but nothing is filtered unless one of the other options (by_cpu or by_memory) is set to a non-zero value.
process.include_top_n.by_cpu
How many processes to include from the top by CPU. The processes are sorted by the system.process.cpu.total.pct field. The default is 0.
process.include_top_n.by_memory
How many processes to include from the top by memory. The processes are sorted by the system.process.memory.rss.bytes field. The default is 0.

This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.

Fields

edit

For a description of each field in the metricset, see the exported fields section.

Here is an example document generated by this metricset:

{
    "@timestamp": "2017-10-12T08:05:34.853Z",
    "event": {
        "dataset": "system.process",
        "duration": 115000,
        "module": "system"
    },
    "metricset": {
        "name": "process",
        "period": 10000
    },
    "process": {
        "args": [
            "/usr/lib/systemd/systemd",
            "--switched-root",
            "--system",
            "--deserialize",
            "28"
        ],
        "name": "systemd",
        "pgid": 1,
        "pid": 1,
        "ppid": 0
    },
    "service": {
        "type": "system"
    },
    "system": {
        "process": {
            "cgroup": {
                "blkio": {
                    "id": "init.scope",
                    "path": "/init.scope",
                    "total": {
                        "bytes": 7453696,
                        "ios": 548
                    }
                },
                "cpu": {
                    "cfs": {
                        "period": {
                            "us": 100000
                        },
                        "quota": {
                            "us": 0
                        },
                        "shares": 1024
                    },
                    "id": "init.scope",
                    "path": "/init.scope",
                    "rt": {
                        "period": {
                            "us": 0
                        },
                        "runtime": {
                            "us": 0
                        }
                    },
                    "stats": {
                        "periods": 0,
                        "throttled": {
                            "ns": 0,
                            "periods": 0
                        }
                    }
                },
                "cpuacct": {
                    "id": "init.scope",
                    "path": "/init.scope",
                    "percpu": {
                        "1": 3930656993407,
                        "2": 4025787490535,
                        "3": 4064460082910,
                        "4": 3387847262532
                    },
                    "stats": {
                        "system": {
                            "ns": 4996000000000
                        },
                        "user": {
                            "ns": 10329380000000
                        }
                    },
                    "total": {
                        "ns": 15408751829384
                    }
                },
                "id": "init.scope",
                "memory": {
                    "id": "init.scope",
                    "kmem": {
                        "failures": 0,
                        "limit": {
                            "bytes": 9223372036854771712
                        },
                        "usage": {
                            "bytes": 9404416,
                            "max": {
                                "bytes": 14987264
                            }
                        }
                    },
                    "kmem_tcp": {
                        "failures": 0,
                        "limit": {
                            "bytes": 9223372036854771712
                        },
                        "usage": {
                            "bytes": 0,
                            "max": {
                                "bytes": 0
                            }
                        }
                    },
                    "mem": {
                        "failures": 0,
                        "limit": {
                            "bytes": 9223372036854771712
                        },
                        "usage": {
                            "bytes": 29437952,
                            "max": {
                                "bytes": 70705152
                            }
                        }
                    },
                    "memsw": {
                        "failures": 0,
                        "limit": {
                            "bytes": 9223372036854771712
                        },
                        "usage": {
                            "bytes": 30392320,
                            "max": {
                                "bytes": 70705152
                            }
                        }
                    },
                    "path": "/init.scope",
                    "stats": {
                        "active_anon": {
                            "bytes": 3444736
                        },
                        "active_file": {
                            "bytes": 10563584
                        },
                        "cache": {
                            "bytes": 10752000
                        },
                        "hierarchical_memory_limit": {
                            "bytes": 9223372036854771712
                        },
                        "hierarchical_memsw_limit": {
                            "bytes": 9223372036854771712
                        },
                        "inactive_anon": {
                            "bytes": 6197248
                        },
                        "inactive_file": {
                            "bytes": 327680
                        },
                        "major_page_faults": 198,
                        "mapped_file": {
                            "bytes": 9867264
                        },
                        "page_faults": 3626304,
                        "pages_in": 1095732,
                        "pages_out": 1090806,
                        "rss": {
                            "bytes": 9592832
                        },
                        "rss_huge": {
                            "bytes": 0
                        },
                        "swap": {
                            "bytes": 675840
                        },
                        "unevictable": {
                            "bytes": 0
                        }
                    }
                },
                "path": "/init.scope"
            },
            "cmdline": "/usr/lib/systemd/systemd --switched-root --system --deserialize 28",
            "cpu": {
                "start_time": "2020-08-27T01:05:16.000Z",
                "total": {
                    "norm": {
                        "pct": 0.0056
                    },
                    "pct": 0.0222,
                    "value": 15389060
                }
            },
            "memory": {
                "rss": {
                    "bytes": 12853248,
                    "pct": 0.0008
                },
                "share": 7118848,
                "size": 176881664
            },
            "state": "sleeping"
        }
    },
    "user": {
        "name": "root"
    }
}