Do you use Elastic and Metricbeats for process monitoring and alerting? How did you configure your data gathering and alerting?
I am currently trying to set this up, and running into some basic issues. These issues are making me question whether Elastic is a suitable tool for alerting. Here is my planned setup:
process.cpu.start_time from Metricbeats is very young (e.g. it has only been running for under 5 minutes), alert!I have been working my way through this using the following approach:
process.cpu.start_time, as a text string in ISO date format. Elastic lens queries are very limited with dates.process.cpu.start_epoch, which is an integer - the Unix epoch: "seconds since January 1, 1970".last metric. This works and gives me "the time that the process started, as a Unix epoch".now and that integer. However I don't see anything in the lens documentation about doing date math. So I'm stuck.The difficulties I am encountering are making me wonder if I am "doing it wrong"? Is Elastic/Metricbeats a suitable tool for what I am trying to achieve?
Answer: find the right hammer!
What I needed is called "Elastic runtime fields". There's a step-by-step writeup here: https://elastic-content-share.eu/elastic-runtime-field-example-repository/
Summary:
process.cpu.start.ageemit(Date().getTime() - doc['process.cpu.start'].value.toEpochMilli());PS: I deleted my logstash filters, because they were superfluous.