System process metricsetedit

The System process metricset provides process statistics. One document is provided for each process.

This metricset is available on:

  • FreeBSD
  • Linux
  • macOS
  • Windows



When the process metricset is enabled, you can use the processes option to define a list of regexp expressions to filter the processes that are reported. For more complex filtering, you should use the processors configuration option. See Filter and enhance the exported data for more information.

The following example config returns metrics for all processes:

- module: system
  metricsets: ["process"]
  processes: ['.*']

When the process metricset is enabled, you can use this boolean configuration option to disable cgroup metrics. By default cgroup metrics collection is enabled.

The following example config disables cgroup metrics on Linux.

- module: system
  metricsets: ["process"]
  process.cgroups.enabled: false
This metricset caches the command line args for a running process by default. This means if you alter the command line for a process while this metricset is running, these changes are not detected. Caching can be disabled by setting process.cmdline.cache.enabled: false in the configuration.

This metricset can collect the environment variables that were used to start the process. This feature is available on Linux, Darwin, and FreeBSD. No environment variables are collected by default because they could contain sensitive information. You must configure the environment variables that you wish to collect by specifying a list of regular expressions that match the variable name.

- module: system
  metricsets: ["process"]
  - '^PATH$'
  - '^SSH_.*'

By default the cumulative CPU tick values are not reported by this metricset (only percentages are reported). Setting this option to true will enable the reporting of the raw CPU tick values (for user, system, and total CPU time).

- module: system
  metricsets: ["process"]
  process.include_cpu_ticks: true
These options allow you to filter out all processes that are not in the top N by CPU or memory, in order to reduce the number of documents created. If both the by_cpu and by_memory options are used, the union of the two sets is included.
Set to false to disable the top N feature and include all processes, regardless of the other options. The default is true, but nothing is filtered unless one of the other options (by_cpu or by_memory) is set to a non-zero value.
How many processes to include from the top by CPU. The processes are sorted by the field. The default is 0.
How many processes to include from the top by memory. The processes are sorted by the system.process.memory.rss.bytes field. The default is 0.


For a description of each field in the metricset, see the exported fields section.

Here is an example document generated by this metricset:

    "@timestamp": "2017-10-12T08:05:34.853Z",
    "beat": {
        "hostname": "",
        "name": ""
    "metricset": {
        "module": "system",
        "name": "process",
        "rtt": 115
    "system": {
        "process": {
            "cmdline": "/var/folders/k3/xlwbcsmj6dd7vjv2tg1d7c_40000gn/T/go-build217299100/ -data",
            "cpu": {
                "start_time": "2017-10-12T10:41:40.406Z",
                "total": {
                    "norm": {
                        "pct": 0.0226
                    "pct": 0.0902
            "memory": {
                "rss": {
                    "bytes": 11612160,
                    "pct": 0.0007
                "share": 0,
                "size": 569977466880
            "name": "process.test",
            "pgid": 10585,
            "pid": 10731,
            "ppid": 10585,
            "state": "running",
            "username": "ruflin"