These docs are for Cribl Edge 4.11 and are no longer actively maintained.
See the latest version (4.14).
Windows System Metrics Details
Events generated by the Windows Metrics Source include metrics metadata to designate dimension and metric fields. The host field contains the hostname, and is included as a dimension in all of them.
The collectors include:
In the Source’s configuration modal, You can set the level of detail for each type of metrics:
- Basic enables minimal metrics, averaged or aggregated.
- All enables full, detailed metrics, specified for individual CPUs, interfaces, and so on.
- Custom displays sub-menus and buttons from which you can choose a level of detail (Basic, All, Custom, or Disabled) for each type of event.
- Disabled means that no metrics will be generated.
Basic and Custom have different meanings depending on event type and will be described under each section below.
The tables outline the metrics emitted for each mode (Basic or Custom) and where applicable, the dimensions (to indicate where the metrics are coming from).
System
With System Metrics enabled, Cribl Edge captures CPU load averages, uptime, and count. The Custom option option allows you to include detailed metrics. These are Windows-specific metrics including OS information, system uptime, CPU architecture, etc.
Metrics for the overall system include the following:
| Name | Description | Type | Dimensions | Mode | 
|---|---|---|---|---|
| windows_cs_logical_processors | Number of installed logical processors. | Gauge | N/A | Basic | 
| windows_cs_physical_memory_bytes | Total installed physical memory. | Gauge | N/A | Basic | 
| windows_os_info | Contains full product name & version in labels. | Gauge | product,version | Basic | 
| windows_os_physical_memory_free_bytes | Bytes of physical memory currently unused and available. | Gauge | N/A | Basic | 
| windows_os_processes | Number of process contexts currently loaded or running on the operating system. | Gauge | N/A | Basic | 
| windows_system_processor_queue_length | Number of threads in the processor queue. | Gauge | N/A | Basic | 
| windows_system_threads | Number of Windows system threads. | Gauge | N/A | Basic | 
| windows_cs_hostname | Labeled system hostname information. | Gauge | hostname,domain,fqdn | Custom: Detailed | 
| windows_cpu_info | Labeled CPU information. | Gauge | architecture,device_id,description,family,l2_cache_size,l3_cache_size,name | Custom: Detailed | 
| windows_os_paging_limit_bytes | Total number of bytes that can be stored in the operating system paging files. | Gauge | N/A | Custom: Detailed | 
| windows_os_paging_free_bytes | Number of bytes that can be mapped into the operating system paging files without causing any other pages to be swapped out. | Gauge | N/A | Custom: Detailed | 
| windows_os_processes_limit | Maximum number of process contexts the operating system can support. | Gauge | N/A | Custom: Detailed | 
| windows_os_process_memory_limit_bytes | Maximum number of bytes of memory that can be allocated to a process. | Gauge | N/A | Custom: Detailed | 
| windows_os_virtual_memory_bytes | Bytes of virtual memory. | Gauge | N/A | Custom: Detailed | 
| windows_system_exception_dispatches_total | Total exceptions dispatched by the system. | Counter | N/A | Custom: Detailed | 
| windows_system_system_calls_total | Total combined calls to Windows NT system service routines by all processes running on the computer. | Counter | N/A | Custom: Detailed | 
| windows_system_system_up_time | Time of last boot of system. | Gauge | N/A | Custom: Detailed | 
CPU
Basic level captures active, user, system, idle, and iowait percentages over all CPUs.
Custom level toggles the following on or off: Per CPU metrics, Detailed metrics (i.e., metrics for all CPU states), and CPU time metrics (i.e., raw, monotonic CPU time counters).
Metrics for CPUs include the following:
| Name | Description | Type | Dimensions | Mode | 
|---|---|---|---|---|
| windows_cpu_percent_active_all | CPU percent active usage | Gauge | core,mode | Basic | 
| windows_cpu_percent_active | CPU percent active usage per CPU | Gauge | core,mode | Basic or Custom: Per CPUandCPU timemetrics | 
| windows_cpu_percent | CPU percent active usage | Gauge | core,modeis set touser,idle,privileged,interrupt,dpc | Basic or Custom: Per CPUandCPU timemetrics | 
| windows_cpu_parking_status | Parking Status represents whether a processor is parked or not. | Counter | core | Basic or Custom: Per CPUandCPU timemetrics | 
| windows_cpu_core_frequency_mhz | Core frequency in megahertz. | Gauge | core | Basic or Custom: Per CPUandCPU timemetrics | 
| windows_cpu_time_all_total | Sum of all cpu_timeacross all cores. | Gauge | mode | Basic or Custom: CPU timemetrics | 
| windows_cpu_cstate_seconds_total | Time spent in low-power idle state. | Counter | core,state | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_time_total | Time that processor spent in different modes (idle, user, system etc.). | Counter | core,mode | Custom: Per CPUandCPU timemetrics | 
| windows_cpu_interrupts_total | Total number of received and serviced hardware interrupts. | Counter | core | Custom: Per CPUorDetailedmetrics | 
| windows_cpu_dpcs_total | Total number of received and serviced deferred procedure calls (DPCs). | Counter | core | Custom: Per CPUorDetailedmetrics | 
| windows_cpu_clock_interrupts_total | Total number of received and serviced clock tick interrupts. | Counter | core | Custom: Per CPUorDetailedmetrics | 
| windows_cpu_idle_break_events_total | Total number of time processor was woken from idle. | Counter | core | Custom: Per CPUorDetailedmetrics | 
| windows_cpu_processor_performance | Average performance of the processor while it is executing instructions. | Gauge. | core | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_percent_processor_performance | Average performance of the processor while it is executing instructions, as a percentage of the nominal performance of the processor. | Gauge. | core | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_percent_processor_utility | Amount of work a processor is completing, as a percentage of the amount of work the processor could complete if it were running at its nominal performance and never idle. | Gauge. | core | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_average_idle_time | Processor idle time. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_percent_privilege_utility | Amount of work a processor is completing while executing in privileged mode. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_interrupts_total_per_sec | Total number of received and serviced hardware interrupts, computed average on a per second interval. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_dpcs_total_per_sec | Total number of received and serviced deferred procedure calls (DPCs), computed average on a per second interval. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_clock_interrupts_total_per_sec | Total number of received and serviced clock tick interrupts, computed average on a per second interval. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_idle_break_events_total_per_sec | Total number of time processor was woken from idle, computed average on a per second interval. | Gauge | mode | Custom: Per CPUandDetailedmetrics | 
| windows_cpu_percent_all_total | Core frequency in megahertz. | Gauge | modeis set todpc,idle,interrupt,privilege,user,active | Custom: CPU timemetrics | 
Memory
Basic level captures captures total, used, available, swap_free, and swap_total.
Custom level toggles Detailed metrics on or off. (These are metrics for all memory states.)
Metrics for memory include the following:
| Name | Description | Type | Dimensions | Mode | 
|---|---|---|---|---|
| windows_memory_available_bytes | Physical memory that is immediately available for allocation to a process or for system use. This is the sum of the standby (cached), free, and zero page lists. | Gauge | N/A | Basic | 
| windows_memory_cache_bytes | Number of bytes currently being used by the filesystem cache | Gauge | N/A | Basic | 
| windows_memory_cache_bytes_peak | Maximum number of CacheBytesafter the system was last restarted. | Gauge | N/A | Basic | 
| windows_memory_cache_faults_total | Faults that occur when a page sought in the filesystem cache is not found there and must be retrieved elsewhere in memory (soft fault) or from disk (hard fault). | Counter | N/A | Basic | 
| windows_memory_commit_limit | Bytes of virtual memory that can be committed without having to extend paging files. | Gauge | N/A | Basic | 
| windows_memory_committed_bytes | Bytes of committed virtual memory. | Gauge | N/A | Basic | 
| windows_memory_pool_paged_allocs_total | Calls to allocate space in the paged pool, regardless of the amount of space allocated in each call. | Counter | N/A | Basic | 
| windows_memory_pool_paged_bytes | Number of bytes in the paged pool. | Gauge | N/A | Basic | 
| windows_memory_pool_paged_resident_bytes | The size, in bytes, of the portion of the paged pool that is currently resident and active in physical memory. The paged pool is an area of the system virtual memory used for objects that can be written to disk when they are not being used. | Gauge | N/A | Basic | 
| windows_memory_demand_zero_faults_total | Number of Zeroed pages required to satisfy faults. Windows uses zeroed pages as a security measure to prevent processes from seeing data stored by earlier processes that previously used the memory space. | Counter | N/A | Custom: Detailed | 
| windows_memory_free_and_zero_page_list_bytes | Physical memory allocated to free and zero pages, in bytes. This memory does not contain cached data. It is immediately available for allocation to a process or system use. | Gauge | N/A | Custom: Detailed | 
| windows_memory_free_system_page_table_entries | Page table entries not being used by the system. | Gauge | N/A | Custom: Detailed | 
| windows_memory_modified_page_list_bytes | Physical memory, in bytes, assigned to the modified page list. This memory contains cached data and code that is not actively in use by processes, the system, and the system cache. This memory needs to be written out before it will be available for allocation to a process or for system use. | Gauge | N/A | Custom: Detailed | 
| windows_memory_page_faults_total | Overall rate at which faulted pages are handled by the processor. | Counter | N/A | Custom: Detailed | 
| windows_memory_swap_page_reads_total | Disk page reads (a single read operation reading several pages is still only counted once). | Counter | N/A | Custom: Detailed | 
| windows_memory_swap_pages_read_total | Pages read across all page reads (i.e., counting all pages read even if they are read in a single operation). | Counter | N/A | Custom: Detailed | 
| windows_memory_swap_pages_written_total | Pages written across all page writes (i.e., counting all pages written even if they are written in a single operation). | Counter | N/A | Custom: Detailed | 
| windows_memory_swap_page_operations_total | Total number of swap page read and writes (PagesPersec). | Counter | N/A | Custom: Detailed | 
| windows_memory_swap_page_writes_total | Disk page writes (a single write operation writing several pages is still only counted once). | Counter | N/A | Custom: Detailed | 
| windows_memory_pool_nonpaged_allocs_total | The number of calls to allocate space in the non-paged pool. The non-paged pool is an area of system memory area for objects that cannot be written to disk, and must remain in physical memory as long as they are allocated | Counter. | N/A | Custom: Detailed | 
| windows_memory_pool_nonpaged_bytes | Non-paged pool, in bytes. The non-paged pool is an area of the system virtual memory that is used for objects that cannot be written to disk, but must remain in physical memory as long as they are allocated. | Gauge | N/A | Custom: Detailed | 
| windows_memory_standby_cache_core_bytes | Physical memory, in bytes, that is assigned to the core standby cache page lists. This memory contains cached data and code that is not actively in use by processes, the system, and the system cache. It is immediately available for allocation to a process or for system use. If the system runs out of available free and zero memory, memory on lower priority standby cache page lists will be repurposed before memory on higher priority standby cache page lists. | Gauge | N/A | Custom: Detailed | 
| windows_memory_standby_cache_normal_priority_bytes | Physical memory, in bytes, that is assigned to the normal priority standby cache page lists. This memory contains cached data and code that is not actively in use by processes, the system, and the system cache. It is immediately available for allocation to a process or for system use. If the system runs out of available free and zero memory, memory on lower priority standby cache page lists will be repurposed before memory on higher priority standby cache page lists. | Gauge | N/A | Custom: Detailed | 
| windows_memory_standby_cache_reserve_bytes | Pysical memory, in bytes, that is assigned to the reserve standby cache page lists. This memory contains cached data and code that is not actively in use by processes, the system and the system cache. It is immediately available for allocation to a process or for system use. If the system runs out of available free and zero memory, memory on lower priority standby cache page lists will be repurposed before memory on higher priority standby cache page lists. | Gauge | N/A | Custom: Detailed | 
| windows_memory_system_cache_resident_bytes | The size, in bytes, of the portion of the system file cache which is currently resident and active in physical memory. | Gauge | N/A | Custom: Detailed | 
| windows_memory_system_code_resident_bytes | The size, in bytes, of the pageable operating system code that is currently resident and active in physical memory. This value is a component of Memory/System Code Total Bytes. Memory/System Code Resident Bytes (and Memory/System Code Total Bytes) does not include code that must remain in physical memory and cannot be written to disk. | Gauge | N/A | Custom: Detailed | 
| windows_memory_system_code_total_bytes | The size, in bytes, of the pageable operating system code currently mapped into the system virtual address space. This value is calculated by summing the bytes in Ntoskrnl.exe, Hal.dll, the boot drivers, and filesystems loaded by Ntldr/osloader. This counter does not include code that must remain in physical memory and cannot be written to disk. | Gauge | N/A | Custom: Detailed | 
| windows_memory_system_driver_resident_bytes | The size, in bytes, of the pageable physical memory being used by device drivers. It is the working set (physical memory area) of the drivers. This value is a component of Memory/System Driver Total Bytes, which also includes driver memory that has been written to disk. Neither Memory/System Driver Resident Bytes nor Memory/System Driver Total Bytes includes memory that cannot be written to disk. | Gauge | N/A | Custom: Detailed | 
| windows_memory_system_driver_total_bytes | The size, in bytes, of the pageable virtual memory currently being used by device drivers. Pageable memory can be written to disk when it is not being used. It includes both physical memory (Memory/System Driver Resident Bytes) and code and data paged to disk. It is a component of Memory/System Code Total Bytes. | Gauge | N/A | Custom: Detailed | 
| windows_memory_transition_faults_total | Rate at which page faults are resolved, by recovering pages that were being used by another process sharing the page, or were on the modified page list or the standby list, or were being written to disk at the time of the page fault. The pages were recovered without additional disk activity. Transition faults are counted in numbers of faults; because only one page is faulted in each operation, it is also equal to the number of pages faulted. | Counter | N/A | Custom: Detailed | 
| windows_memory_transition_pages_repurposed_total | Rate at which the number of transition cache pages were reused for a different purpose. These pages would have otherwise remained in the page cache to provide a (fast) soft fault (instead of retrieving it from backing store) in the event the page was accessed in the future. | Counter | N/A | Custom: Detailed | 
| windows_memory_write_copies_total | The number of page faults caused by attempting to write that were satisfied by copying the page from elsewhere in physical memory. | Counter | N/A | Custom: Detailed | 
| windows_memory_used_percent | Percent of committed memory used. | Gauge | N/A | Custom: Detailed | 
| windows_memory_available_percent | Percent of committed memory available. | Gauge | N/A | Custom: Detailed | 
| windows_memory_cache_faults_per_sec | Rate of cache faults computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_demand_zero_faults_per_sec | Rate of Zeroed pages required to satisfy faults computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_page_faults_per_sec | Rate at which faulted pages are handled by the processor computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_page_reads_per_sec | Disk page reads computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_pages_input_per_sec | Disk page reads computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_pages_output_per_sec | Pages written across all page writes computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_pages_per_sec | Total number of swap page read and writes computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_page_writes_per_sec | Disk page writes computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_transition_faults_sec | Rate at which page faults are resolved computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_transition_pages_repurposed_per_sec | Rate at which the number of transition cache pages were reused for a different purpose computed per sec. | Gauge | N/A | Custom: Detailed | 
| windows_memory_write_copies_per_sec | Rate at which the number of page faults caused by attempting to write that were satisfied by copying the page from elsewhere in physical memory computed per sec. | Gauge | N/A | Custom: Detailed | 
Network
Basic level captures bytes, packets, errors, and connections over all interfaces.
Custom level exposes the following:
- The Interface filter, which specifies which network interfaces to include or exclude. (An empty filter will include all metrics.)
- Per interface metrics, which toggle on or off.
- Detailed metrics, which toggle on or off. If on, the Protocol metrics toggle appears, allowing you to choose whether to generate metrics for ICMP, ICMPMsg, IP, TCP, UDP, and UDPLite.
Metrics for networks include the following:
| Name | Description | Type | Dimensions | Mode | 
|---|---|---|---|---|
| windows_net_packets_outbound_discarded_total | Total outbound packets to be discarded even though no errors had been detected to prevent transmission. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_outbound_errors_total | Total packets that could not be transmitted due to errors. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_received_discarded_total | Total inbound packets that were chosen to be discarded even though no errors had been detected to prevent delivery. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_received_errors_total | Total packets that could not be received due to errors. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_received_unknown_total | Total packets received by interface that were discarded because of an unknown or unsupported protocol. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_received_non_unicast_total | Total non-unicast (subnet broadcast or subnet multicast) packets that are delivered to a higher-layer protocol. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_received_unicast_total | Total subnet-unicast packets that are delivered to a higher-layer protocol. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_sent_unicast_total | Total packets requested to be transmitted to subnet-unicast addresses by higher-level protocols. | Counter | nic | Custom: Detailedmetrics | 
| windows_net_packets_sent_non_unicast_total_per_sec | Total packets that are requested to be transmitted to nonunicast (subnet broadcast or subnet multicast) addresses by higher-level protocols. | Gauge | nic | Custom: Detailedmetrics | 
| windows_net_bytes_received_total | Total bytes received by interface. | Counter | nic | Custom: Per Interfacemetrics | 
| wwindows_net_bytes_received_total_per_sec | Total bytes received by interface computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_bytes_sent_total | Total bytes transmitted by interface. | Counter | nic | Custom: Per Interfacemetrics | 
| windows_net_bytes_sent_total_per_sec | Total bytes transmitted by interface computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_bytes_total | Total bytes received and transmitted by interface. | Counter | nic | Custom: Per Interfacemetrics | 
| windows_net_bytes_total_per_sec | Total bytes received and transmitted by interface per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_received_total_per_sec | Total packets received by interface computed per sec. | Counter | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_bytes_total_per_sec | Total bytes received and transmitted by interface per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_received_non_unicast_total_per_sec | Rate at which non-unicast (subnet broadcast or subnet multicast) packets are delivered to a higher-layer protocol computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_total | Total packets received and transmitted by interface. | Counter | nic | Custom: Per Interfacemetrics | 
| windows_net_packets_total_per_sec | Total packets received and transmitted by interface computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_sent_total | Total packets transmitted by interface. | Counter | nic | Custom: Per Interfacemetrics | 
| windows_net_packets_sent_total_per_sec | Total packets transmitted by interface computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_sent_unicast_total_per_sec | Rate at which packets are requested to be transmitted to subnet-unicast addresses by higher-level protocols computed per sec. | Gauge | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_packets_sent_non_unicast_total | Rate at which packets that are requested to be transmitted to nonunicast (subnet broadcast or subnet multicast) addresses by higher-level protocols per sec. | Counter | nic | Custom: Per Interfacemetrics andDetailedmetrics | 
| windows_net_current_bandwidth_bytes | Estimate of the interface’s current bandwidth in bytes per second. | Gauge | nic | Custom: Detailedmetrics | 
| windows_tcp_connection_failures_all_total | Number of times TCP connections have made a direct transition to the CLOSED state from the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition from the SYN-RCVD state to the LISTEN state. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_connections_active_all_total | Number of times TCP connections have made a direct transition from the CLOSED state to the SYN-SENT state. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_connections_established | Number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT. | Gauge | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_connections_passive_all_total | Number of times TCP connections have made a direct transition from the LISTEN state to the SYN-RCVD state. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_connections_reset_total | Number of times TCP connections have made a direct transition from the LISTEN state to the SYN-RCVD state. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_total | Total segments sent or received using the TCP protocol. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_received_all_total | Total segments received using the TCP protocol. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_retransmitted_all_total | Total segments retransmitted using the TCP protocol. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_sent_all_total | Total segments sent using the TCP protocol. | Counter | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_all_total_per_sec | Total segments sent or received using the TCP protocol computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_received_all_total_per_sec | Total segments received using the TCP protocol computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_retransmitted_all_total_per_sec | Total segments retransmitted using the TCP protocol computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_tcp_segments_sent_all_total_per_sec | Total segments sent using the TCP protocol computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (TCPv4andTCPv6) | 
| windows_net_datagrams_all_total | Total datagrams sent or received using the UDP protocol. | Counter | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_no_port_all_total | Rate of received UDP datagrams for which there was no application at the destination port. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_received_all_total | Rate at which UDP datagrams are delivered to UDP users. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_received_errors_all_total | Number of received UDP datagrams that could not be delivered excluding errors due to lack of an application at the destination port. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_sent_all_total | Total UDP datagrams sent from the entity. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_no_port_all_total_per_sec | Rate of received UDP datagrams for which there was no application at the destination port computed per sec | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_received_all_total_per_sec | Rate at which UDP datagrams are delivered to UDP users computed per sec | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_received_errors_all_total_per_sec | Rate at which received UDP datagrams that could not be delivered, excluding errors due to lack of an application at the destination port, computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
| windows_net_datagrams_sent_all_total_per_sec | Rate at which UDP datagrams sent from the entity computed per sec. | Gauge | af | Custom: DetailedandProtocolmetrics (UDPv4andUDPv6) | 
Disk
Basic level captures disk usage (%), bytes read and written, and read and write operations, over all mounted disks.
Custom level exposes the following:
- The Volume filter, specifying which Windows volumes to include or exclude. Supports wildcards and !(not) operators. An empty filter will include all volumes.
- Per volume metrics, which toggle on or off.
- Detailed metrics, which toggle on or off.
Metrics for Disk include the following:
| Name | Description | Type | Dimensions | Mode | 
|---|---|---|---|---|
| windows_logical_disk_requests_queued | Outstanding requests on the disk at the time the performance data is collected | Gauge | volume | Basic | 
| windows_logical_disk_read_bytes_total | Rate at which bytes are transferred from the disk during read operations. | Counter | volume | Basic | 
| windows_logical_disk_reads_total | Rate of read operations on the disk. | Counter | volume | Basic | 
| windows_logical_disk_write_bytes_total | Rate at which bytes are transferred to the disk during write operations. | Counter | volume | Basic | 
| windows_logical_disk_writes_total | Rate of write operations on the disk. | Counter | volume | Basic | 
| windows_logical_disk_write_latency_seconds_total | Shows the average time, in seconds, of a write operation to the disk. | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_read_latency_seconds_total | Shows the average time, in seconds, of a read operation from the disk. | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_read_write_latency_seconds_total | Shows the time, in seconds, of the average disk transfer. | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_read_seconds_total | Seconds the disk was busy servicing read request. | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_idle_seconds_total | Seconds the disk was idle (not servicing read/write requests). | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_split_ios_total | Number of I/Os to the disk split into multiple I/Os. | Counter | volume | Custom: Detailedmetrics | 
| windows_logical_disk_percent_read_time | Percent rate of read operations on the disk. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_percent_write_time | Percent write operations on the disk. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_percent_time | Percent time the disk was in read + write operations | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_percent_time | Percent time the disk was idle. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_percent_free_space | Percent space free on volume. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_average_disk_sec_per_transfer | Measures the average time of data reads and writes on the disk. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_average_disk_sec_per_read | Measures the average rate of disk read requests that are executed per second on a specific physical disk. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_average_disk_sec_per_write | Indicates how fast data is being written on average for a specific logical disk. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_split_ios_per_sec | Rate the I/Os to the disk were split into multiple I/Os per sec. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_bytes_per_sec | Exposes the rate bytes are transferred to or from the disk during write or read operations per sec. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_read_bytes_per_sec | Exposes the rate bytes are transferred to or from the disk during read operations per sec. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_reads_per_sec | Exposes the rate of read operations on the disk per sec. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_transfers_per_sec | How fast data is being read and written for a specific logical disk per sec. | Gauge | volume | Custom: Detailedmetrics | 
| windows_logical_disk_write_bytes_per_se | Exposes the rate at which bytes are transferred from the disk during write operations per sec. | Gauge | volume | Custom: Detailedmetrics | 
The windows_logical_disk_free_bytes and windows_logical_disk_size_bytes metrics are not updated in real time and might have a delay of 10-15min. This is the same behavior as the Windows performance counters.
Process Metrics
With Process Metrics enabled, Cribl Edge captures process-specific metrics from Windows servers and reports them as events. This allows you to monitor specific processes on Cribl.Cloud instances. You can generate events for any process object.
Process-specific metrics are not affected by the Host Metrics detail setting.
For information on how to configure the Windows Metrics Source to generate process-specific metrics, check out the section of the Windows Metrics page.
Process-specific metrics include the following:
| Name | Description | Type | Dimensions | 
|---|---|---|---|
| process_start_time | Time the process started. | gauge | process_cmdline,process_service | 
| process_cpu_time_total | Elapsed time that the process’s threads have spent executing instructions in either privileged mode or user mode. Included in this count is code executed to handle some hardware interrupts and trap conditions. | counter | process_cmdline,process_service | 
| process_handles | Total number of handles the process has open. This number is the sum of the handles currently open by each thread in the process. | gauge | process_cmdline,process_service | 
| process_io_bytes_total | Total number of bytes issued to I/O operations in either read,write, orothermode. This property counts all I/O activity generated by the process to include file, network, and device I/Os.Readandwritemodes include data operations;othermode includes those that don’t involve data, like control operations. | counter | process_cmdline,process_service | 
| process_io_operations_total | Total number of I/O operations issued in either read,write, orothermode. This property counts all I/O activity generated by the process to include file, network, and device I/Os. Read and write mode includes data operations; other mode includes those that do not involve data, such as control operations. | counter | process_cmdline,process_service | 
| process_page_faults_total | Total number of page faults by threads executing in this process. A page fault occurs when a thread refers to a virtual memory page that is not in its working set in main memory. This can cause the page not to be fetched from disk if it is on the standby list and hence already in main memory, or if it is in use by another process with which the page is shared. | counter | process_cmdline,process_service | 
| process_page_file_bytes | Current number of bytes this process has used in the paging files. Paging files are used to store pages of memory used by the process that are not contained in other files. Paging files are shared by all processes, and lack of space in paging files can prevent other processes from allocating memory. | gauge | process_cmdline,process_service | 
| process_pool_bytes | Last observed number of bytes in the paged or nonpaged pool. The paged pool is an area of system memory (physical memory used by the operating system) for objects that can be written to disk when they are not being used. The nonpaged pool is an area of system memory (physical memory used by the operating system) for objects that cannot be written to disk, but must remain in physical memory as long as they are allocated. Nonpaged pool bytes are calculated differently than paged pool bytes, so they may not equal the total of paged pool bytes. | gauge | process_cmdline,process_service | 
| process_priority_base | Current base priority of this process. Threads within a process can raise and lower their own base priority, relative to the process’s base priority. | gauge | process_cmdline,process_service | 
| process_private_bytes | Current number of bytes this process has allocated that can’t be shared with other processes. | gauge | process_cmdline,process_service | 
| process_threads | Number of threads currently active in this process. Every running process has at least one thread. | gauge | process_cmdline,process_service | 
| process_virtual_bytes | Current size, in bytes, of the virtual address space that the process is using. Use of virtual space doesn’t imply use of either disk or main memory pages. Virtual space is finite and when the process uses too much, it can limit its ability to load libraries. | gauge | process_cmdline,process_service | 
| process_working_set_private_byte | Size of the working set, in bytes, that is used for this process only and not shared or shareable by other processes. | gauge | process_cmdline,process_service | 
| process_working_set_peak_bytes | Maximum size, in bytes, of the working set of this process at any point in time. The working set is the set of memory pages touched recently by the threads in the process. If free memory is above a threshold, pages are left in the working set of a process even if they are not in use. When free memory falls below a threshold, pages are trimmed from working sets. If pages are needed, they will be soft-faulted back into the working set before they leave main memory. | gauge | process_cmdline,process_service | 
| process_working_set_bytes | Maximum number of bytes in the working set of this process at any point in time. If free memory is above a threshold, pages are left in the working set of a process even if they aren’t in use. When free memory falls below a threshold, pages are trimmed from working sets. If pages are needed, they will be soft-faulted back into the working set before they leave main memory. | gauge | process_cmdline,process_service | 
Additional Process Metrics Properties
These properties, along with the dimensions listed in the previous table, are included with each metric:
- process_pid
- process_ppid
- process_exe_path
- process_name
Missing property values are represented as null.
Windows Filter Expressions
Cribl Edge allows you to filter Windows events based on various properties. This enables you to isolate specific events of interest for analysis or further processing.
For example, to identify all processes running as explorer, use the following filter expression:
processName == 'explorer'
This expression will return all instances of the explorer process.