Document unknown as filesystem.ignore_types metricbeat configuration value

[bczifra]

Describe the enhancement:
In elastic/gosigar#164, https://github.com/elastic/gosigar/blob/v0.14.2/sys/windows/syscall_windows.go#L345-L360 was modified to ignore an error from GetVolumeInformationW system call and return unavailable as the file system type.

This can result in metricbeat logging this error:

{"log.level":"error","@timestamp":"2023-04-06T08:59:18.495+0200","log.origin":{"[file.name](https://file.name/)":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset system.filesystem: error getting filesystem usage for [Z:\\](file:///Z://): GetDiskFreeSpaceEx failed: The device is not ready.","[service.name](https://service.name/)":"metricbeat","ecs.version":"1.6.0"}

This error can be filtered out by specifying:

metricbeat.modules:
  - module: system
    filesystem.ignore_types: [unknown]

It would be helpful to document this in https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-system-filesystem.html .

[elasticmachine]

Pinging @elastic/obs-docs (Team:Docs)

[automate-this]

Just FYI: I think you meant
filesystem.ignore_types: [unavailable]
not "unknown".
"unavailable" works for me and "unknown" does not.

[Tomalak]

I've used this in MetricBeat's modules.d\system.yml, and it seems to suppress the error (MetricBeat 3.8.2 on Windows Server 2016).

- module: system
  # ...
  filesystem.ignore_types:
    - unavailable
    - unknown
  # ...

[NateUT99]

I am seeing a similar message in the agent metrics data collected by the Elastic Agent for my Windows servers. Is there a way to suppress this error when these are managed by a Fleet server?

[automate-this]

Yes. You can put unknown and/or unavailable in the "ignore filesystem" option of the system integration that is assigned to your agent policy.

[NateUT99]

Circling back on this, we put both unknown and unavailable in the ignore list, but we continue to receive the error message
"error getting filesystem usage for D:: GetDiskFreeSpaceEx failed: The device is not ready." from the Windows agent metrics. Assuming this is correct, would best course of action be to open a support case?

I did check the configuration on one of the servers, and the ignore_types does appear to be populated.

• data_stream:
  dataset: system.filesystem
  type: metrics
  filesystem:
  ignore_types: unavailable,unknown
  id: system/metrics-system.filesystem-1c11d5a2-057d-4fdb-a569-a572e6d09c22
  metricsets:
  • filesystem
    period: 1m
    processors:
  • drop_event:
    when:
    regexp:
    system:
    filesystem:
    mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)

[muralidharanvenkataraman]

We would like to be added to this request as well.

[jrodewig]

Thanks @bczifra. I've opened #36946 to address the missing docs and close this issue.

@NateUT99 Your issue seems to be related to elastic/integrations#7703. Essentially, there's a bug in the UI that prevents you from setting filesystem.ignore_types as a an array. Since that's a separate problem, I'd use that issue to track progress. Thanks!