diff --git a/packages/kibana/_dev/build/docs/README.md b/packages/kibana/_dev/build/docs/README.md index 7f31c45ca6e..748c74b98f8 100644 --- a/packages/kibana/_dev/build/docs/README.md +++ b/packages/kibana/_dev/build/docs/README.md @@ -93,4 +93,36 @@ This status endpoint is available in 6.0 by default and can be enabled in Kibana | service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | | service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | -{{event "status"}} \ No newline at end of file +{{event "status"}} + +### Cluster actions + +Cluster actions metrics documentation + +{{fields "cluster_actions"}} + +{{event "cluster_actions"}} + +### Cluster rules + +Cluster rules metrics + +{{fields "cluster_rules"}} + +{{event "cluster_rules"}} + +### Node actions + +Node actions metrics + +{{fields "node_actions"}} + +{{event "node_actions"}} + +### Node rules + +Node rules metrics + +{{fields "node_rules"}} + +{{event "node_rules"}} diff --git a/packages/kibana/docs/README.md b/packages/kibana/docs/README.md index de827e8b093..ae86564bbe2 100644 --- a/packages/kibana/docs/README.md +++ b/packages/kibana/docs/README.md @@ -337,4 +337,444 @@ An example event for `status` looks as following: } } } -``` \ No newline at end of file +``` + +### Cluster actions + +Cluster actions metrics documentation + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cluster_uuid | | alias | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| kibana.cluster_actions.overdue.count | | long | +| kibana.cluster_actions.overdue.delay.p50 | | float | +| kibana.cluster_actions.overdue.delay.p99 | | float | +| kibana.elasticsearch.cluster.id | | keyword | +| kibana_stats.kibana.uuid | | alias | +| kibana_stats.kibana.version | | alias | +| kibana_stats.timestamp | | alias | +| process.pid | Process id. | long | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| timestamp | | alias | + + +An example event for `cluster_actions` looks as following: + +```json +{ + "agent": { + "name": "docker-fleet-agent", + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "type": "metricbeat", + "ephemeral_id": "f0c34fc3-ac35-4a80-80ed-a0de44ff6be0", + "version": "8.5.0" + }, + "service.id": "543c4fcf-bf38-4483-8cc4-df01fcb095e1", + "elastic_agent": { + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "version": "8.5.0", + "snapshot": true + }, + "@timestamp": "2022-08-06T21:38:59.780Z", + "service.version": "8.5.0", + "ecs": { + "version": "8.0.0" + }, + "service": { + "address": "https://kibana:5601/api/monitoring_collection/cluster_actions", + "type": "kibana" + }, + "service.address": "0.0.0.0:5601", + "data_stream": { + "namespace": "default", + "type": "metrics", + "dataset": "kibana.cluster_actions" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "type": "linux", + "family": "debian", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "172.20.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:14:00:07" + ], + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "cluster_actions" + }, + "event": { + "duration": 13732239, + "agent_id_status": "verified", + "ingested": "2022-08-06T21:39:00Z", + "module": "kibana", + "dataset": "kibana.cluster_actions" + }, + "kibana": { + "elasticsearch.cluster.id": "Og-OqdQZQ62JHTfGBMc0CA", + "cluster_actions": { + "overdue": { + "delay": { + "p99": 0, + "p50": 0 + }, + "count": 0 + } + } + } +} +``` + +### Cluster rules + +Cluster rules metrics + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cluster_uuid | | alias | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| kibana.cluster_rules.overdue.count | | long | +| kibana.cluster_rules.overdue.delay.p50 | | float | +| kibana.cluster_rules.overdue.delay.p99 | | float | +| kibana.elasticsearch.cluster.id | | keyword | +| kibana_stats.kibana.uuid | | alias | +| kibana_stats.kibana.version | | alias | +| kibana_stats.timestamp | | alias | +| process.pid | Process id. | long | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| timestamp | | alias | + + +An example event for `cluster_rules` looks as following: + +```json +{ + "agent": { + "name": "docker-fleet-agent", + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "ephemeral_id": "f0c34fc3-ac35-4a80-80ed-a0de44ff6be0", + "type": "metricbeat", + "version": "8.5.0" + }, + "service.id": "543c4fcf-bf38-4483-8cc4-df01fcb095e1", + "elastic_agent": { + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "version": "8.5.0", + "snapshot": true + }, + "@timestamp": "2022-08-06T21:41:29.650Z", + "service.version": "8.5.0", + "ecs": { + "version": "8.0.0" + }, + "service": { + "address": "https://kibana:5601/api/monitoring_collection/cluster_rules", + "type": "kibana" + }, + "data_stream": { + "namespace": "default", + "type": "metrics", + "dataset": "kibana.cluster_rules" + }, + "service.address": "0.0.0.0:5601", + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "type": "linux", + "family": "debian", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "172.20.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:14:00:07" + ], + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "cluster_rules" + }, + "event": { + "duration": 8419517, + "agent_id_status": "verified", + "ingested": "2022-08-06T21:41:30Z", + "module": "kibana", + "dataset": "kibana.cluster_rules" + }, + "kibana": { + "elasticsearch.cluster.id": "Og-OqdQZQ62JHTfGBMc0CA", + "cluster_rules": { + "overdue": { + "delay": { + "p99": 0, + "p50": 0 + }, + "count": 0 + } + } + } +} +``` + +### Node actions + +Node actions metrics + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cluster_uuid | | alias | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| kibana.elasticsearch.cluster.id | | keyword | +| kibana.node_actions.executions | | long | +| kibana.node_actions.failures | | long | +| kibana.node_actions.timeouts | | long | +| kibana_stats.kibana.uuid | | alias | +| kibana_stats.kibana.version | | alias | +| kibana_stats.timestamp | | alias | +| process.pid | Process id. | long | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| timestamp | | alias | + + +An example event for `node_actions` looks as following: + +```json +{ + "agent": { + "name": "docker-fleet-agent", + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "type": "metricbeat", + "ephemeral_id": "f0c34fc3-ac35-4a80-80ed-a0de44ff6be0", + "version": "8.5.0" + }, + "service.id": "543c4fcf-bf38-4483-8cc4-df01fcb095e1", + "elastic_agent": { + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "version": "8.5.0", + "snapshot": true + }, + "@timestamp": "2022-08-06T21:42:19.560Z", + "ecs": { + "version": "8.0.0" + }, + "service.version": "8.5.0", + "service.address": "0.0.0.0:5601", + "service": { + "address": "https://kibana:5601/api/monitoring_collection/node_actions", + "type": "kibana" + }, + "data_stream": { + "namespace": "default", + "type": "metrics", + "dataset": "kibana.node_actions" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "172.20.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:14:00:07" + ], + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "node_actions" + }, + "event": { + "duration": 6658572, + "agent_id_status": "verified", + "ingested": "2022-08-06T21:42:20Z", + "module": "kibana", + "dataset": "kibana.node_actions" + }, + "kibana": { + "elasticsearch.cluster.id": "Og-OqdQZQ62JHTfGBMc0CA", + "node_actions": { + "failures": 0, + "executions": 0, + "timeouts": 0 + } + } +} +``` + +### Node rules + +Node rules metrics + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cluster_uuid | | alias | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| kibana.elasticsearch.cluster.id | | keyword | +| kibana.node_rules.executions | | long | +| kibana.node_rules.failures | | long | +| kibana.node_rules.timeouts | | long | +| kibana_stats.kibana.uuid | | alias | +| kibana_stats.kibana.version | | alias | +| kibana_stats.timestamp | | alias | +| process.pid | Process id. | long | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| timestamp | | alias | + + +An example event for `node_rules` looks as following: + +```json +{ + "agent": { + "name": "docker-fleet-agent", + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "ephemeral_id": "f0c34fc3-ac35-4a80-80ed-a0de44ff6be0", + "type": "metricbeat", + "version": "8.5.0" + }, + "service.id": "543c4fcf-bf38-4483-8cc4-df01fcb095e1", + "elastic_agent": { + "id": "83c9f2b5-5134-4df2-88d8-ae48906024fc", + "version": "8.5.0", + "snapshot": true + }, + "@timestamp": "2022-08-06T21:42:59.474Z", + "service.version": "8.5.0", + "ecs": { + "version": "8.0.0" + }, + "service.address": "0.0.0.0:5601", + "data_stream": { + "namespace": "default", + "type": "metrics", + "dataset": "kibana.node_rules" + }, + "service": { + "address": "https://kibana:5601/api/monitoring_collection/node_rules", + "type": "kibana" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "type": "linux", + "family": "debian", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "172.20.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:14:00:07" + ], + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "node_rules" + }, + "kibana": { + "elasticsearch.cluster.id": "Og-OqdQZQ62JHTfGBMc0CA", + "node_rules": { + "failures": 0, + "executions": 0, + "timeouts": 0 + } + }, + "event": { + "duration": 9031470, + "agent_id_status": "verified", + "ingested": "2022-08-06T21:43:00Z", + "module": "kibana", + "dataset": "kibana.node_rules" + } +} +``` diff --git a/packages/kibana/manifest.yml b/packages/kibana/manifest.yml index 80d79c8ef16..387e2c17359 100644 --- a/packages/kibana/manifest.yml +++ b/packages/kibana/manifest.yml @@ -24,7 +24,7 @@ policy_templates: description: 'Collecting audit and application logs from Kibana instances' - type: kibana/metrics title: Collect Kibana metrics - description: Collecting stats and status metrics from Kibana instances + description: Collecting stats, status and alert metrics from Kibana instances vars: - name: hosts type: text