Send metrics to Graphite
You can send metrics collected by an input module to a Graphite server using NXLog Agent’s TCP output module. Graphite accepts metrics in plain-text format, with each line containing a metric path, a value, and a Unix timestamp, all separated by spaces.
The following examples show how to send Windows Performance Counters and Osquery metrics to a Graphite server.
Send metrics from Windows Performance Counters
Windows Performance Counters provide a wide range of host metrics, including CPU, memory, and disk usage. The following example collects total CPU usage across all processors and sends it to a Graphite server.
This configuration collects total processor utilization with the Windows Performance Counters input module. It uses the Rewrite extension to rename the counter field and retain only necessary fields. An Exec block formats each metric as a Graphite plain-text line and the TCP output module forwards it to the Graphite server.
<Extension rewrite>
Module xm_rewrite
Rename ${\Processor(_Total)\% Processor Time}, $cpu_usage_percent (1)
Keep Hostname, EventReceivedTime, cpu_usage_percent
</Extension>
<Input winperfcount>
Module im_winperfcount
Counter \Processor(_Total)\% Processor Time (2)
PollInterval 60
<Exec>
rewrite->process();
$raw_event = "servers." + $Hostname + \
".cpu_usage_percent " + \
string($cpu_usage_percent) + \
" " + string(integer($EventReceivedTime) / 1000000); (3)
</Exec>
</Input>
<Output graphite>
Module om_tcp
Host 192.168.1.100:2003 (4)
</Output>
<Route r1>
Path winperfcount => graphite
</Route>| 1 | Renames the counter field to cpu_usage_percent. |
| 2 | Collects total processor utilization across all CPUs using the _Total instance. |
| 3 | Formats the metric as a Graphite plain-text line containing the metric path, value, and Unix timestamp. |
| 4 | Forwards metrics to the Graphite server on port 2003. |
When NXLog Agent sends the metric to the Graphite server, it produces the following output.
servers.SRV01.cpu_usage_percent 13.571015 1779125075Send metrics from Osquery
Osquery can query CPU load, memory, and disk usage directly from the operating system. The following example collects Osquery metrics and sends them to a Graphite server.
This configuration uses the Osquery input module with two scheduled queries. An Exec block formats each query result as a Graphite plain-text line and the TCP output module forwards it to the Graphite server.
<Input osquery>
Module im_osquery
<QueryMap>
Name cpu_load (1)
Query "SELECT average FROM load_average WHERE period = '1m'"
Interval 60
OsqueryEventType Added
</QueryMap>
<QueryMap>
Name memory (2)
Query "SELECT memory_total, memory_free FROM memory_info"
Interval 60
OsqueryEventType Added
</QueryMap>
<Exec>
if defined($columns('average')) {
$raw_event = "servers." + $Hostname + ".cpu_load_1m " + \
string($columns('average')) + " " + \
string(integer($EventReceivedTime) / 1000000); (3)
}
else if defined($columns('memory_total')) {
$raw_event = "servers." + $Hostname + ".memory_total_bytes " + \
string($columns('memory_total')) + " " + \
string(integer($EventReceivedTime) / 1000000) + "\n" + \
"servers." + $Hostname + ".memory_free_bytes " + \
string($columns('memory_free')) + " " + \
string(integer($EventReceivedTime) / 1000000); (4)
}
</Exec>
</Input>
<Output graphite>
Module om_tcp
Host 192.168.1.100:2003 (5)
</Output>
<Route r1>
Path osquery => graphite
</Route>| 1 | Queries the one-minute CPU load average from the load_average table every 60 seconds. |
| 2 | Queries total and free memory from the memory_info table every 60 seconds. |
| 3 | Formats the CPU load metric as a Graphite plain-text line. |
| 4 | Formats the memory metrics as two Graphite plain-text lines. |
| 5 | Forwards metrics to the Graphite server on port 2003. |
When NXLog Agent sends the metrics to the Graphite server, it produces the following output.
servers.SRV02.cpu_load_1m 1.403320 1779123646
servers.SRV02.memory_total_bytes 4005224448 1779123697
servers.SRV02.memory_free_bytes 141361152 1779123697