Convert metrics to events
Metrics provide continuous numerical visibility into system and application state, but specific metrics such as high CPU usage, low free memory, or queue saturation may require immediate action. Converting those values into alert events lets you route them through the same pipeline as your logs, enabling delivery to a SIEM, a ticketing system, or an on-call notification platform without a separate monitoring stack.
NXLog Agent can evaluate metric values using conditional logic in an Exec block. Metrics that meet specific criteria can then be reformatted as event records and forwarded by an output module.
Generate events on high CPU load
High CPU usage on a Windows host can indicate a process consuming more resources than expected or a processing bottleneck. The example below polls the processor utilization counter and generates an alert event when it exceeds 90%.
This configuration uses the Windows Performance Counters input module to poll the total processor utilization counter. When the polled value exceeds the threshold, the configuration adds alert fields and uses the Rewrite extension to normalize and convert the record to JSON. Otherwise, the record is discarded.
<Extension json>
Module xm_json
</Extension>
<Extension rewrite>
Module xm_rewrite
Keep EventTime, Hostname, alert, cpu_percent
Rename EventTime, timestamp
Rename Hostname, hostname
Exec to_json();
</Extension>
<Input high_cpu_load>
Module im_winperfcount
Counter \Processor(_Total)\% Processor Time (1)
PollInterval 60
<Exec>
if ${\Processor(_Total)\% Processor Time} =~ /^(9[0-9]|100)/ { (2)
$alert = "high_cpu_load";
$cpu_percent = ${\Processor(_Total)\% Processor Time};
rewrite->process(); (3)
}
else {
drop();
}
</Exec>
</Input>| 1 | Polls the total processor utilization counter every 60 seconds. |
| 2 | Matches counter values from 90 to 100.
Note that im_winperfcount returns the counter value as a floating-point percentage string. |
| 3 | Uses the Rewrite extension to normalize and keep only fields relevant to the alert event and convert the record to JSON. |
{
"timestamp": "2026-04-30T16:33:28.106505+01:00",
"hostname": "SRV01",
"alert": "high_cpu_load",
"cpu_percent": "92.158300"
}Generate events on low available memory
A host with low available memory is at risk of swap pressure and out-of-memory conditions. The example below uses Osquery to poll the available memory and generates an alert event when it falls below 1 GB.
This configuration uses the Osquery input module to query the memory_info table every 60 seconds.
When the available memory falls below the threshold, the configuration adds alert fields and uses the Rewrite extension to normalize and convert the record to JSON.
Otherwise, the record is discarded.
<Extension json>
Module xm_json
</Extension>
<Extension rewrite>
Module xm_rewrite
Keep EventReceivedTime, Hostname, alert, memory_available
Rename EventReceivedTime, timestamp
Rename Hostname, hostname
Exec to_json();
</Extension>
<Input low_memory>
Module im_osquery
<QueryMap>
Name memory
Query "SELECT memory_available FROM memory_info" (1)
Interval 60
OsqueryEventType Added (2)
</QueryMap>
<Exec>
if integer($columns('memory_available')) < 1073741824 {
$alert = "low_available_memory";
$memory_available = $columns('memory_available');
rewrite->process(); (3)
}
else {
drop();
}
</Exec>
</Input>| 1 | Queries the memory_available column from the Osquery memory_info table every 60 seconds. |
| 2 | Limits processing to added events, excluding the removed events that Osquery emits when a polled value changes. |
| 3 | Uses the Rewrite extension to normalize and keep only fields relevant to the alert event and convert the record to JSON. |
{
"timestamp": "2026-04-30T14:08:42.118537+01:00",
"hostname": "WEBSRV",
"alert": "low_available_memory",
"memory_available": "812494438"
}