Windows perfmon metricset

edit

The perfmon metricset of the Windows module reads Windows performance counters.

Configuration

edit

You must configure queries for the Windows performance counters that you wish to collect. The example below collects processor time and disk writes every 10 seconds. If either of the counters do not exist it will ignore the error.

- module: windows
  metricsets: [perfmon]
  period: 10s
  perfmon.ignore_non_existent_counters: true
  perfmon.group_measurements_by_instance: true
  perfmon.queries:
  - object: "Process"
    instance: ["svchost*", "conhost*"]
    counters:
    - name: "% Processor Time"
      field: time.processor.pct
      format: "float"
    - name: "Thread Count"
      field: thread_count
    - name: "IO Read Operations/sec"
  - object: "PhysicalDisk"
    field : "disk"
    instance: "*"
    counters:
    - name: "Disk Writes/sec"
    - name: "% Disk Write Time"
      field: "write_time"
      format: "float"


  // deprecated, will be removed in 8.0

  perfmon.counters:
    - instance_label: processor.name
      instance_name: total
      measurement_label: processor.time.total.pct
      query: '\Processor Information(_Total)\% Processor Time'

    - instance_label: physical_disk.name
      measurement_label: physical_disk.write.per_sec
      query: '\PhysicalDisk(*)\Disk Writes/sec'

    - instance_label: physical_disk.name
      measurement_label: physical_disk.write.time.pct
      query: '\PhysicalDisk(*)\% Disk Write Time'
ignore_non_existent_counters
A boolean option that causes the metricset to ignore errors caused by counters that do not exist when set to true. Instead of an error, a message will be logged at the info level stating that the counter does not exist.
group_measurements_by_instance
A boolean option that causes metricbeat to send all measurements with a matching perfmon instance as part of a single event. In the above example, this will cause the physical_disk.write.per_sec and physical_disk.write.time.pct measurements to be sent as a single event. The default behaviour is for all measurements to be sent as separate events.
refresh_wildcard_counters
A boolean option to refresh the counter list at each fetch. By default, the counter list will be retrieved at the starting time, to refresh the list at each fetch, users will have to enable this setting.
counters
Counters specifies a list of queries to perform. Each individual counter requires three config options - instance_label, measurement_label, and query.

Query Configuration

edit

Each item in the query list specifies multiple perfmon queries to perform. In the events generated by the metricset these configuration options map to the field values as shown below.

object
The performance object to query. A performance object can be a physical component, such as processors, disks, and memory, or a system object, such as processes and threads. Required
field
The object field/label. Not required, if not entered, it will be object.
instance
Matches the ParentInstance, ObjectInstance, and InstanceIndex are included in the path if multiple instances of the object can exist. Not required for performance counters which do not contain one.
counters
List of the partial counter paths (At least one partial counter path is required).
name
The counter name. Required. This is the counter specified in Performance Data Helper (PDH) syntax. For example in case of the counter path \Processor Information(_Total)\% Processor Time, the value for this configuration option will be % Processor Time.
field
The counter path value field/label. Not required, if not entered, it will be generated based on the counter path.
format
Format of the measurement value. The value can be either float, large or long. The default is float.

Deprecated Counter Configuration

edit

Each item in the counters list specifies a perfmon query to perform. In the events generated by the metricset these configuration options map to the field values as shown below.

"%[instance_label]": "%[instance_name] or <perfmon_counter_name>",
"%[measurement_label]": <perfmon_counter_value>,
instance_label
The label used to identify the counter instance.
instance_name

The instance name to use in the event when the counter’s path (query) does not include an instance or when you want to override the instance name. For example with \Processor Information(_Total) the instance name would be _Total and by setting instance_name: total you can override the value.

The setting has no effect with wildcard queries (e.g. \PhysicalDisk(*)\Disk Writes/sec).

measurement_label
The label used for the value returned by the query. This field is required.
query
The perfmon query. This is the counter path specified in Performance Data Helper (PDH) syntax. This field is required. For example \Processor Information(_Total)\% Processor Time. An asterisk can be used in place of an instance name to perform a wildcard query that generates an event for each counter instance (e.g. \PhysicalDisk(*)\Disk Writes/sec).
format
Format of the measurement value. The value can be either float, large or long. The default is float.

Fields

edit

For a description of each field in the metricset, see the exported fields section.

Here is an example document generated by this metricset:

{
    "@timestamp": "2017-10-12T08:05:34.853Z",
    "event": {
        "dataset": "windows.perfmon",
        "duration": 115000,
        "module": "windows"
    },
    "metricset": {
        "name": "perfmon",
        "period": 10000
    },
    "service": {
        "type": "windows"
    },
    "windows": {
        "perfmon": {
            "instance": "_Total",
            "metrics": {
                "processor": {
                    "time": {
                        "total": {
                            "pct": 6.310940413107646
                        }
                    }
                }
            },
            "object": "Processor Information"
        }
    }
}