Skip to content

[system/{cpu,memory}] Add alert rule templates #16943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mykola-elastic wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[system/{cpu,memory}] Add alert rule templates #16943

mykola-elastic wants to merge 3 commits into from
+74 −1

Conversation

@mykola-elastic
Copy link
Contributor

@mykola-elastic mykola-elastic commented Jan 13, 2026
edited
Loading

Proposed commit message

See title.

This PR adds alerting rule template for the identified key alerting metrics for CPU and memory datastreams:

  • "[System] CPU Utilization".
  • "[System] Memory Utilization".

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

ES|QL queries

CPU

// Alert when the average CPU usage exceeds a threshold.
// Groups by host.
// Adjust utilization threshold in the final WHERE clause as needed.
FROM metrics-system.cpu-*
| KEEP host.name, system.cpu.total.norm.pct
| STATS avg_cpu_util = AVG(system.cpu.total.norm.pct) BY host.name
| WHERE avg_cpu_util >= 0.85

Memory

// Alert when the average memory usage exceeds a threshold.
// Groups by host.
// Adjust utilization threshold in the final WHERE clause as needed.
FROM metrics-system.memory-*
| KEEP host.name, system.memory.actual.used.pct
| STATS avg_memory_util = AVG(system.memory.actual.used.pct) BY host.name
| WHERE avg_memory_util >= 0.9
Screenshot 2026-01-13 at 16 28 59

@mykola-elastic mykola-elastic self-assigned this Jan 13, 2026
@mykola-elastic mykola-elastic added enhancement New feature or request Integration:system System Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Jan 13, 2026
@mykola-elastic
Copy link
Contributor Author

mykola-elastic commented Jan 13, 2026
edited
Loading

Checked that the ES|QL query works:

Screenshot 2026-01-13 at 14 59 50 Screenshot 2026-01-13 at 15 11 00 Screenshot 2026-01-13 at 16 17 22 Screenshot 2026-01-13 at 16 21 06

@mykola-elastic mykola-elastic marked this pull request as ready for review January 13, 2026 13:15
@mykola-elastic mykola-elastic requested review from a team as code owners January 13, 2026 13:15
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 13, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@mykola-elastic mykola-elastic changed the title [system/cpu] Add alert rule template [system/{cpu,memory}] Add alert rule template Jan 13, 2026
@mykola-elastic mykola-elastic marked this pull request as draft January 13, 2026 14:18
@mykola-elastic mykola-elastic changed the title [system/{cpu,memory}] Add alert rule template [system/{cpu,memory}] Add alert rule templates Jan 13, 2026
@mykola-elastic mykola-elastic marked this pull request as ready for review January 13, 2026 14:26
@elasticmachine
Copy link

elasticmachine commented Jan 13, 2026

💚 Build Succeeded

History

cc @mykola-elastic

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefans-elastic stefans-elastic stefans-elastic approved these changes

@giorgi-imerlishvili-elastic giorgi-imerlishvili-elastic giorgi-imerlishvili-elastic approved these changes

@jakubgalecki0 jakubgalecki0 jakubgalecki0 approved these changes

@shmsr shmsr Awaiting requested review from shmsr

@muthu-mps muthu-mps Awaiting requested review from muthu-mps

@ishleenk17 ishleenk17 Awaiting requested review from ishleenk17

At least 1 approving review is required to merge this pull request.

Assignees

@mykola-elastic mykola-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:system System Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mykola-elastic @elasticmachine @stefans-elastic @giorgi-imerlishvili-elastic @jakubgalecki0 @andrewkroh