Host metricsedit

If you haven’t already, you need to install and configure Metricbeat to populate the Metrics app with data. For more information, see Ingest metrics.

Host metrics are ingested using the Metricbeat system module, which is enabled by default, and become available for analysis in the Metrics app.

To help you analyze the host metrics listed on the Inventory page, you can select view filters based on the following predefined metrics or you can add custom metrics.

CPU Usage

Average of system.cpu.user.pct added to the average of system.cpu.system.pct divided by system.cpu.cores.

Memory Usage

Average of system.memory.actual.used.pct.


Average of system.load.5.

Inbound Traffic

Derivative of the maximum of scaled to a 1 second rate.

Outbound Traffic

Derivative of the maximum of scaled to a 1 second rate.

Log Rate

Derivative of the cumulative sum of the document count scaled to a 1 second rate. This metric relies on the same indices as the logs.

For information about which required fields the Metrics app uses to display host metrics, see the Metrics field reference.

Host detailsedit

Without leaving the Inventory page, you can view enhanced details relating to each host running in your infrastructure. On the waffle map, select the host to display the host details overlay.

The host details overlay contains the following tabs:

Host metrics

The Metrics tab displays CPU, load, memory, and network metrics relating to the host. You can change the time range to view metrics over the last 15 minutes, hour, 3 hours, 24 hours, or over the previous seven days. You can also hover over a specific time period on a chart to compare the various metrics at that given time.


Averages of system.cpu.user.pct divided by system.cpu.cores and system.cpu.system.pct divided by system.cpu.cores.


Averages of system.load.1, system.load.5, and system.load.15.


For Linux systems, memory used is the average of system.memory.actual.used.bytes and memory free is the average of For non-Linux systems, memory used is the average of system.memory.used.bytes and memory free is the average of


Rates of and

Host logs

The Logs tab displays logs relating to the host that you have selected. By default, the logs tab displays the following columns.


The timestamp of the log entry from the timestamp field.


The message extracted from the document. The content of this field depends on the type of log message. If no special log message type is detected, the Elastic Common Schema (ECS) base field, message, is used.

You can customize the logs view by adding a column for an arbitrary field you would like to filter by. For more information, see Customize Stream. To view the logs in the Logs app for a detailed analysis, click Open in Logs.

Host processes

The Processes tab lists the total number of processes ( running on the host, along with the total number of processes in these various states:

  • Running (system.process.summary.running)
  • Sleeping (system.process.summary.sleeping)
  • Stopped (system.process.summary.stopped)
  • Idle (system.process.summary.idle)
  • Dead (system.process.summary.dead)
  • Zombie (system.process.summary.zombie)
  • Unknown (system.process.summary.unknown)

The processes listed in the Top processes table are based on an aggregation of the top CPU and the top memory consuming processes. The number of top processes is controlled by process.include_top_n.by_cpu and process.include_top_n.by_memory.


Full command line that started the process, including the absolute path to the executable, and all the arguments (system.process.cmdline).


Process id (


User name (


The percentage of CPU time spent by the process since the last event (


The time the process started (system.process.cpu.start_time).


The percentage of memory (system.process.memory.rss.pct) the process occupied in main memory (RAM).


The current state of the process and the total number of processes (system.process.state). Expected values are: running, sleeping, dead, stopped, idle, zombie, and unknown.

Host metadata

The Metadata tab lists all the meta information relating to the host:

  • Host information
  • Cloud information
  • Agent information

All of this information can help when investigating events—for example, filtering by operating system or architecture.