System Fields

System status metrics, like CPU and memory usage, that are collected from the operating system.

system Fields

system contains local system metrics.

core Fields

system-core contains local CPU core stats.

system.core.id

type: long

CPU Core number.

system.core.user.pct

type: scaled_float

format: percent

The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the cpu.user_p will be 180%.

system.core.user.ticks

type: long

The amount of CPU time spent in user space.

system.core.system.pct

type: scaled_float

format: percent

The percentage of CPU time spent in kernel space.

system.core.system.ticks

type: long

The amount of CPU time spent in kernel space.

system.core.nice.pct

type: scaled_float

format: percent

The percentage of CPU time spent on low-priority processes.

system.core.nice.ticks

type: long

The amount of CPU time spent on low-priority processes.

system.core.idle.pct

type: scaled_float

format: percent

The percentage of CPU time spent idle.

system.core.idle.ticks

type: long

The amount of CPU time spent idle.

system.core.iowait.pct

type: scaled_float

format: percent

The percentage of CPU time spent in wait (on disk).

system.core.iowait.ticks

type: long

The amount of CPU time spent in wait (on disk).

system.core.irq.pct

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling hardware interrupts.

system.core.irq.ticks

type: long

The amount of CPU time spent servicing and handling hardware interrupts.

system.core.softirq.pct

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling software interrupts.

system.core.softirq.ticks

type: long

The amount of CPU time spent servicing and handling software interrupts.

system.core.steal.pct

type: scaled_float

format: percent

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

system.core.steal.ticks

type: long

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

cpu Fields

cpu contains local CPU stats.

system.cpu.user.pct

type: scaled_float

format: percent

The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the cpu.user_p will be 180%.

system.cpu.system.pct

type: scaled_float

format: percent

The percentage of CPU time spent in kernel space.

system.cpu.nice.pct

type: scaled_float

format: percent

The percentage of CPU time spent on low-priority processes.

system.cpu.idle.pct

type: scaled_float

format: percent

The percentage of CPU time spent idle.

system.cpu.iowait.pct

type: scaled_float

format: percent

The percentage of CPU time spent in wait (on disk).

system.cpu.irq.pct

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling hardware interrupts.

system.cpu.softirq.pct

type: scaled_float

format: percent

The percentage of CPU time spent servicing and handling software interrupts.

system.cpu.steal.pct

type: scaled_float

format: percent

The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

system.cpu.user.ticks

type: long

The amount of CPU time spent in user space.

system.cpu.system.ticks

type: long

The amount of CPU time spent in kernel space.

system.cpu.nice.ticks

type: long

The amount of CPU time spent on low-priority processes.

system.cpu.idle.ticks

type: long

The amount of CPU time spent idle.

system.cpu.iowait.ticks

type: long

The amount of CPU time spent in wait (on disk).

system.cpu.irq.ticks

type: long

The amount of CPU time spent servicing and handling hardware interrupts.

system.cpu.softirq.ticks

type: long

The amount of CPU time spent servicing and handling software interrupts.

system.cpu.steal.ticks

type: long

The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.

diskio Fields

disk contains disk IO metrics collected from the operating system.

system.diskio.name

type: keyword

example: sda1

The disk name.

system.diskio.serial_number

type: keyword

The disk’s serial number. This may not be provided by all operating systems.

system.diskio.read.count

type: long

The total number of reads completed successfully.

system.diskio.write.count

type: long

The total number of writes completed successfully.

system.diskio.read.bytes

type: long

format: bytes

The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.

system.diskio.write.bytes

type: long

format: bytes

The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.

system.diskio.read.time

type: long

The total number of milliseconds spent by all reads.

system.diskio.write.time

type: long

The total number of milliseconds spent by all writes.

system.diskio.io.time

type: long

The total number of of milliseconds spent doing I/Os.

filesystem Fields

filesystem contains local filesystem stats.

system.filesystem.available

type: long

format: bytes

The disk space available to an unprivileged user in bytes.

system.filesystem.device_name

type: keyword

The disk name. For example: /dev/disk1

system.filesystem.mount_point

type: keyword

The mounting point. For example: /

system.filesystem.files

type: long

The total number of file nodes in the file system.

system.filesystem.free

type: long

format: bytes

The disk space available in bytes.

system.filesystem.free_files

type: long

The number of free file nodes in the file system.

system.filesystem.total

type: long

format: bytes

The total disk space in bytes.

system.filesystem.used.bytes

type: long

format: bytes

The used disk space in bytes.

system.filesystem.used.pct

type: scaled_float

format: percent

The percentage of used disk space.

fsstat Fields

system.fsstat contains filesystem metrics aggregated from all mounted filesystems, similar with what df -a prints out.

system.fsstat.count

type: long

Number of file systems found.

system.fsstat.total_files

type: long

Total number of files.

total_size Fields

Nested file system docs.

system.fsstat.total_size.free

type: long

format: bytes

Total free space.

system.fsstat.total_size.used

type: long

format: bytes

Total used space.

system.fsstat.total_size.total

type: long

format: bytes

Total space (used plus free).

load Fields

Load averages.

system.load.1

type: scaled_float

Load average for the last minute.

system.load.5

type: scaled_float

Load average for the last 5 minutes.

system.load.15

type: scaled_float

Load average for the last 15 minutes.

system.load.norm.1

type: scaled_float

Load divided by the number of cores for the last minute.

system.load.norm.5

type: scaled_float

Load divided by the number of cores for the last 5 minutes.

system.load.norm.15

type: scaled_float

Load divided by the number of cores for the last 15 minutes.

memory Fields

memory contains local memory stats.

system.memory.total

type: long

format: bytes

Total memory.

system.memory.used.bytes

type: long

format: bytes

Used memory.

system.memory.free

type: long

format: bytes

The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).

system.memory.used.pct

type: scaled_float

format: percent

The percentage of used memory.

actual Fields

Actual memory used and free.

system.memory.actual.used.bytes

type: long

format: bytes

Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check system.actual.free.

system.memory.actual.free

type: long

format: bytes

Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free.

system.memory.actual.used.pct

type: scaled_float

format: percent

The percentage of actual used memory.

swap Fields

This group contains statistics related to the swap memory usage on the system.

system.memory.swap.total

type: long

format: bytes

Total swap memory.

system.memory.swap.used.bytes

type: long

format: bytes

Used swap memory.

system.memory.swap.free

type: long

format: bytes

Available swap memory.

system.memory.swap.used.pct

type: scaled_float

format: percent

The percentage of used swap memory.

network Fields

network contains network IO metrics for a single network interface.

system.network.name

type: keyword

example: eth0

The network interface name.

system.network.out.bytes

type: long

format: bytes

The number of bytes sent.

system.network.in.bytes

type: long

format: bytes

The number of bytes received.

system.network.out.packets

type: long

The number of packets sent.

system.network.in.packets

type: long

The number or packets received.

system.network.in.errors

type: long

The number of errors while receiving.

system.network.out.errors

type: long

The number of errors while sending.

system.network.in.dropped

type: long

The number of incoming packets that were dropped.

system.network.out.dropped

type: long

The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.

process Fields

process contains process metadata, CPU metrics, and memory metrics.

system.process.name

type: keyword

The process name.

system.process.state

type: keyword

The process state. For example: "running".

system.process.pid

type: long

The process pid.

system.process.ppid

type: long

The process parent pid.

system.process.pgid

type: long

The process group id.

system.process.cmdline

type: keyword

The full command-line used to start the process, including the arguments separated by space.

system.process.username

type: keyword

The username of the user that created the process. If the username cannot be determined, the field will contain the user’s numeric identifier (UID). On Windows, this field includes the user’s domain and is formatted as domain\username.

cpu Fields

CPU-specific statistics per process.

system.process.cpu.user

type: long

The amount of CPU time the process spent in user space.

system.process.cpu.total.pct

type: scaled_float

format: percent

The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.

system.process.cpu.system

type: long

The amount of CPU time the process spent in kernel space.

system.process.cpu.total.ticks

type: long

The total CPU time spent by the process.

system.process.cpu.start_time

type: date

The time when the process was started.

memory Fields

Memory-specific statistics per process.

system.process.memory.size

type: long

format: bytes

The total virtual memory the process has.

system.process.memory.rss.bytes

type: long

format: bytes

The Resident Set Size. The amount of memory the process occupied in main memory (RAM).

system.process.memory.rss.pct

type: scaled_float

format: percent

The percentage of memory the process occupied in main memory (RAM).

system.process.memory.share

type: long

format: bytes

The shared memory the process uses.

fd Fields

File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD.

system.process.fd.open

type: long

The number of file descriptors open by the process.

system.process.fd.limit.soft

type: long

The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.

system.process.fd.limit.hard

type: long

The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.

cgroup Fields

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux.

system.process.cgroup.id

type: keyword

The ID common to all cgroups associated with this task. If there isn’t a common ID used by all cgroups this field will be absent.

system.process.cgroup.path

type: keyword

The path to the cgroup relative to the cgroup subsystem’s mountpoint. If there isn’t a common path used by all cgroups this field will be absent.

cpu Fields

The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period.

system.process.cgroup.cpu.id

type: keyword

ID of the cgroup.

system.process.cgroup.cpu.path

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.cpu.cfs.period.us

type: long

Period of time in microseconds for how regularly a cgroup’s access to CPU resources should be reallocated.

system.process.cgroup.cpu.cfs.quota.us

type: long

Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).

system.process.cgroup.cpu.cfs.shares

type: long

An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.

system.process.cgroup.cpu.rt.period.us

type: long

Period of time in microseconds for how regularly a cgroup’s access to CPU resources is reallocated.

system.process.cgroup.cpu.rt.runtime.us

type: long

Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.

system.process.cgroup.cpu.stats.periods

type: long

Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.

system.process.cgroup.cpu.stats.throttled.periods

type: long

Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).

system.process.cgroup.cpu.stats.throttled.ns

type: long

The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.

cpuacct Fields

CPU accounting metrics.

system.process.cgroup.cpuacct.id

type: keyword

ID of the cgroup.

system.process.cgroup.cpuacct.path

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.cpuacct.total.ns

type: long

Total CPU time in nanoseconds consumed by all tasks in the cgroup.

system.process.cgroup.cpuacct.stats.user.ns

type: long

CPU time consumed by tasks in user mode.

system.process.cgroup.cpuacct.stats.system.ns

type: long

CPU time consumed by tasks in user (kernel) mode.

system.process.cgroup.cpuacct.percpu

type: dict

CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.

memory Fields

Memory limits and metrics.

system.process.cgroup.memory.id

type: keyword

ID of the cgroup.

system.process.cgroup.memory.path

type: keyword

Path to the cgroup relative to the cgroup subsystem’s mountpoint.

system.process.cgroup.memory.mem.usage.bytes

type: long

format: bytes

Total memory usage by processes in the cgroup (in bytes).

system.process.cgroup.memory.mem.usage.max.bytes

type: long

format: bytes

The maximum memory used by processes in the cgroup (in bytes).

system.process.cgroup.memory.mem.limit.bytes

type: long

format: bytes

The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.mem.failures

type: long

The number of times that the memory limit (mem.limit.bytes) was reached.

system.process.cgroup.memory.memsw.usage.bytes

type: long

format: bytes

The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).

system.process.cgroup.memory.memsw.usage.max.bytes

type: long

format: bytes

The maximum amount of memory and swap space used by processes in the cgroup (in bytes).

system.process.cgroup.memory.memsw.limit.bytes

type: long

format: bytes

The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.memsw.failures

type: long

The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.

system.process.cgroup.memory.kmem.usage.bytes

type: long

format: bytes

Total kernel memory usage by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem.usage.max.bytes

type: long

format: bytes

The maximum kernel memory used by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem.limit.bytes

type: long

format: bytes

The maximum amount of kernel memory that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.kmem.failures

type: long

The number of times that the memory limit (kmem.limit.bytes) was reached.

system.process.cgroup.memory.kmem_tcp.usage.bytes

type: long

format: bytes

Total memory usage for TCP buffers in bytes.

system.process.cgroup.memory.kmem_tcp.usage.max.bytes

type: long

format: bytes

The maximum memory used for TCP buffers by processes in the cgroup (in bytes).

system.process.cgroup.memory.kmem_tcp.limit.bytes

type: long

format: bytes

The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.

system.process.cgroup.memory.kmem_tcp.failures

type: long

The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.

system.process.cgroup.memory.stats.active_anon.bytes

type: long

format: bytes

Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.active_file.bytes

type: long

format: bytes

File-backed memory on active LRU list, in bytes.

system.process.cgroup.memory.stats.cache.bytes

type: long

format: bytes

Page cache, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes

type: long

format: bytes

Memory limit for the hierarchy that contains the memory cgroup, in bytes.

system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes

type: long

format: bytes

Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.

system.process.cgroup.memory.stats.inactive_anon.bytes

type: long

format: bytes

Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes

system.process.cgroup.memory.stats.inactive_file.bytes

type: long

format: bytes

File-backed memory on inactive LRU list, in bytes.

system.process.cgroup.memory.stats.mapped_file.bytes

type: long

format: bytes

Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.page_faults

type: long

Number of times that a process in the cgroup triggered a page fault.

system.process.cgroup.memory.stats.major_page_faults

type: long

Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.

system.process.cgroup.memory.stats.pages_in

type: long

Number of pages paged into memory. This is a counter.

system.process.cgroup.memory.stats.pages_out

type: long

Number of pages paged out of memory. This is a counter.

system.process.cgroup.memory.stats.rss.bytes

type: long

format: bytes

Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.

system.process.cgroup.memory.stats.rss_huge.bytes

type: long

format: bytes

Number of bytes of anonymous transparent hugepages.

system.process.cgroup.memory.stats.swap.bytes

type: long

format: bytes

Swap usage, in bytes.

system.process.cgroup.memory.stats.unevictable.bytes

type: long

format: bytes

Memory that cannot be reclaimed, in bytes.

blkio Fields

Block IO metrics.

system.process.cgroup.blkio.id

type: keyword

ID of the cgroup.

system.process.cgroup.blkio.path

type: keyword

Path to the cgroup relative to the cgroup subsystems mountpoint.

system.process.cgroup.blkio.total.bytes

type: long

format: bytes

Total number of bytes transferred to and from all block devices by processes in the cgroup.

system.process.cgroup.blkio.total.ios

type: long

Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.