[System]: Disk visualization by mountpoint is empty in the '[Metrics System] Host overview' Dashboard

[Danouchka]

Integration Name

System [system]

Dataset Name

system.filesystem

Integration Version

1.61.1

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.3

OS Version and Architecture

Elastic Cloud GCP Belgium

Software/API Version

No response

Error Message

No error message

Event Original

filesystem events are there with all needed information

What did you do?

1- Go to [Metrics System] Overview Dashboard
2- Double click on a Host in the table visualization that lists all hosts
3- You are taken to the corresponding [Metrics System] Host overview Dashboard for the selected host
4- See the disk visualization => there's noting althoug corresponding records are well present

What did you see?

The Top mountpoints by disk usage visualization is empty as you can see below

What did you expect to see?

A non empty visualization

Anything else?

The visualization sends the following query (see solution on how to fix at the end)

POST /metrics-/_async_search?batched_reduce_size=64&ccs_minimize_roundtrips=true&wait_for_completion_timeout=200ms&keep_on_completion=true&keep_alive=60000ms&ignore_unavailable=true&preference=1730050498825
{
"aggs": {
"0": {
"terms": {
"field": "system.filesystem.mount_point",
"order": {
"2-bucket>2-metric[system.filesystem.used.pct]": "desc"
},
"size": 10,
"shard_size": 25
},
"aggs": {
"2-bucket": {
"filter": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"exists": {
"field": "system.filesystem.used.pct"
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"2-metric": {
"top_metrics": {
"metrics": {
"field": "system.filesystem.used.pct"
},
"size": 1,
"sort": {
"@timestamp": "desc"
}
}
}
}
},
"1-bucket": {
"filter": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"exists": {
"field": "system.filesystem.used.pct"
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"1-metric": {
"avg": {
"field": "system.filesystem.used.pct"
}
}
}
}
}
}
},
"size": 0,
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"term": {
"host.name": {
"value": "sa-da-vm-lls-01"
}
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"exists": {
"field": "system.filesystem.used.pct"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"minimum_should_match": 1,
"should": [
{
"match_phrase": {
"data_stream.dataset": "system.memory"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.cpu"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.fsstat"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.network"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.process"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.load"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.filestream"
}
},
{
"match_phrase": {
"data_stream.dataset": "system.diskio"
}
}
]
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2024-10-27T17:19:59.496Z",
"lte": "2024-10-27T17:34:59.496Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"stored_fields": [
""
],
"runtime_mappings": {},
"script_fields": {},
"fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "docker.container.created",
"format": "date_time"
},
{
"field": "docker.image.created",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "event.end",
"format": "date_time"
},
{
"field": "event.ingested",
"format": "date_time"
},
{
"field": "event.start",
"format": "date_time"
},
{
"field": "kubernetes.container.start_time",
"format": "date_time"
},
{
"field": "kubernetes.event.metadata.timestamp.created",
"format": "date_time"
},
{
"field": "kubernetes.event.timestamp.first_occurrence",
"format": "date_time"
},
{
"field": "kubernetes.event.timestamp.last_occurrence",
"format": "date_time"
},
{
"field": "kubernetes.job.time.completed",
"format": "date_time"
},
{
"field": "kubernetes.job.time.created",
"format": "date_time"
},
{
"field": "kubernetes.node.start_time",
"format": "date_time"
},
{
"field": "kubernetes.persistentvolumeclaim.created",
"format": "date_time"
},
{
"field": "kubernetes.pod.start_time",
"format": "date_time"
},
{
"field": "kubernetes.service.created",
"format": "date_time"
},
{
"field": "kubernetes.storageclass.created",
"format": "date_time"
},
{
"field": "kubernetes.system.start_time",
"format": "date_time"
},
{
"field": "labels.k8s_pod_start_time",
"format": "date_time"
},
{
"field": "mongodb.replstatus.server_date",
"format": "date_time"
},
{
"field": "mongodb.status.background_flushing.last_finished",
"format": "date_time"
},
{
"field": "mongodb.status.local_time",
"format": "date_time"
},
{
"field": "mssql.metrics.log_backup_time",
"format": "date_time"
},
{
"field": "postgresql.activity.backend_start",
"format": "date_time"
},
{
"field": "postgresql.activity.query_start",
"format": "date_time"
},
{
"field": "postgresql.activity.state_change",
"format": "date_time"
},
{
"field": "postgresql.activity.transaction_start",
"format": "date_time"
},
{
"field": "postgresql.bgwriter.stats_reset",
"format": "date_time"
},
{
"field": "postgresql.database.stats_reset",
"format": "date_time"
},
{
"field": "system.service.state_since",
"format": "date_time"
},
{
"field": "updated_at",
"format": "date_time"
}
]
}

Solution
To make it work, the missing part in the above query, in the boolean list of matches, is the following:

{
       "match_phrase": {
                  "data_stream.dataset": "system.filesystem"
      }
 }

[Danouchka]

cc @jamiehynds

[jamiehynds]

Hi @Danouchka - this one falls under @daniela-elastic and her team.

[Danouchka]

Hi @daniela-elastic
Is it ok for you to fix it ? It's been lasting now for a while
Thank you very much

[daniela-elastic]

@lalit-satapathy can we have a quick triage to understand scope please?

[ishleenk17]

Hello @Danouchka
I checked the dataset filters that are present in the System Integration.
they are as below:

And I see "system.filesystem" is correctly set.

In the query you shared, I noticed there is an incorrect dataset in the match phrase. There is no dataset by the name of filestream in System Integration.

{
"match_phrase": {
"data_stream.dataset": "system.filestream"
}
},

Has the user changed the dataset themselves as that seems to be the issue.
Could you please recheck if you are using the OOTB dashboard or have you edited it ?

[Danouchka]

Hi @ishleenk17

Very strange, I dont know where filestream comes from. please see below.
Can you check if the visualization "Top mount points by usage" overwrites the filters ?

[Danouchka]

Actually there's a an issue with the top filters as you can see , meaning that the fields that are displayed in the top filters are not those in the match queries when you edit these filters

[ishleenk17]

@Danouchka : I think I have caught the culprit PR commit that would have caused this.
We will pick up to fix this in the upcoming sprint.

[Danouchka]

Yes it's here
packages/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json