Update docs about inventory page to show new host details flyout (#3328)

* Add content changes about host inventory tabs

Co-authored-by: Mike Birnstiehl <[email protected]>
(cherry picked from commit f058593)

docs/en/observability/monitor-infra/analyze-hosts.asciidoc

@@ -17,7 +17,7 @@ health and performance metrics to help you quickly:
 * Filter and search the data to focus on the hosts you care about the most.
 
 To access this page from the main {kib} menu, go to
-**{observability} -> Infrastructure**, and then click **Hosts**.
+**{observability} -> Infrastructure -> Hosts**.
 
 [role="screenshot"]
 image::images/hosts.png[Screenshot of the Hosts page]
@@ -32,20 +32,19 @@ The **Hosts** page provides a few different ways to view host metrics:
 * Overview tiles show the number of hosts returned by your search plus
 averages of key metrics, including CPU usage, memory usage, and throughput.
 * The Host limit controls the maximum number of hosts shown on the page. The
-default is 20, which means the page shows data for the top 20 hosts based on the
+default is 50, which means the page shows data for the top 50 hosts based on the
 most recent timestamps. You can increase the host limit to see data for more
 hosts, but doing so may impact query performance.
 * The Hosts table shows a breakdown of metrics for each host. You may need to
 page through the list or change the number of rows displayed on each page to see
 all of your hosts.
-* Each host name is an active link to an overview page with additional metrics
-about the host, such as CPU usage, load, memory usage, and network traffic.
+* Each host name is an active link to a <<view-host-details, host details>> page,
+which includes metrics, host metadata, alerts, processes, logs, and anomalies.
+You can optionally open the host details in an overlay.
 * Table columns are sortable, but note that the sorting behavior is applied to
 the already returned data set.
-* The **Metrics** view shows metrics trending over time, including normalized
-load, CPU usage, memory usage, network inbound, network outbound, disk read
-IOPS, and disk write IOPS. Place your cursor over a line to view metrics at a
-specific point in time.
+* The tabs at the bottom of the page show an overview of the metrics, logs,
+and alerts for all hosts returned by your search.
 
 [discrete]
 [[analyze-hosts-filter-view]]
@@ -65,35 +64,29 @@ and include (or exclude) metrics for those hosts.
 include (or exclude) metrics for the selected cloud providers.
 * Change the date range in the Time Picker, or click and drag on a
 visualization to change the date range.
-* In the visualizations under **Metrics**, click a point on a line and apply
-filters to set other visualizations on the page to the same time and/or host.
+* Within a visualization, click a point on a line and apply filters to set other
+visualizations on the page to the same time and/or host.
 
 To learn more about filtering data in {kib}, refer to
 {kibana-ref}/kibana-concepts-analysts.html[{kib} concepts].
 
 [discrete]
-[[analyze-hosts-open-in-lens]]
-== Open in Lens
+[[analyze-hosts-inspect-data]]
+== View metrics
 
-Metrics visualizations are powered by Lens, meaning you can continue your analysis
-in Lens if you require more flexibility. Under **Metrics**, hover your cursor
-over a visualization, then click the ellipsis icon in the upper-right corner to
-open the visualization in Lens.
+On the **Metrics** tab, view metrics trending over time, including normalized load,
+CPU usage, memory usage, network inbound, network outbound, disk read IOPS, and
+disk write IOPS. Place your cursor over a line to view metrics at a specific
+point in time. From within each visualization, you can choose to inspect
+and download the metrics or open the visualization in Lens.
 
-[role="screenshot"]
-image::images/hosts-open-in-lens.png[Screenshot showing option to open in Lens]
-
-In Lens, you can examine all the fields and formulas used to create the
-visualization, make modifications to the visualization, and save your changes.
-
-For more information about using Lens, refer to the
-{kibana-ref}/lens.html[{kib} documentation about Lens].
+To see metrics for a specific host, refer to <<view-host-details>>.
 
 [discrete]
-[[analyze-hosts-inspect-data]]
-== Inspect and download metrics
+[[inspect-metrics]]
+=== Inspect and download metrics
 
-On the **Metrics** tab, you can access a text-based view of the data underlying
+You can access a text-based view of the data underlying
 your metrics visualizations and optionally download the data to a
 comma-separated (CSV) file.
 
@@ -111,6 +104,24 @@ used to fetch the data and the response returned from {es}. You can click links
 to further inspect and analyze the request in the **Dev Console** or
 **Search Profiler**.
 
+[discrete]
+[[analyze-hosts-open-in-lens]]
+=== Open in Lens
+
+Metrics visualizations are powered by Lens, meaning you can continue your
+analysis in Lens if you require more flexibility. Hover your cursor over a
+visualization, then click the ellipsis icon in the upper-right corner to open
+the visualization in Lens.
+
+[role="screenshot"]
+image::images/hosts-open-in-lens.png[Screenshot showing option to open in Lens]
+
+In Lens, you can examine all the fields and formulas used to create the
+visualization, make modifications to the visualization, and save your changes.
+
+For more information about using Lens, refer to the
+{kibana-ref}/lens.html[{kib} documentation about Lens].
+
 [discrete]
 [[analyze-hosts-view-logs]]
 == View logs
@@ -129,6 +140,8 @@ Logs app. To add log sources or columns (such as host name), refer to
 Click **Open in Logs** to tail your log files. For more information, refer to
 <<tail-logs>>.
 
+To see logs for a specific host, refer to <<view-host-details>>.
+
 [discrete]
 [[analyze-hosts-view-alerts]]
 == View alerts
@@ -146,6 +159,26 @@ From the **Actions** menu, you can choose to:
 [role="screenshot"]
 image::images/hosts-view-alerts.png[Screenshot showing Alerts view]
 
+To see alerts for a specific host, refer to <<view-host-details>>.
+
+[discrete]
+[[view-host-details]]
+== View host details
+
+Without leaving the **Hosts** page, you can view enhanced metrics relating to
+each host running in your infrastructure. In the list of hosts, find the host
+you want to monitor, then click the **Toggle dialog with details**
+icon image:images/expand-icon.png[] to display the host details overlay.
+
+TIP: To expand the overlay and view more detail, click *Open as page* in the upper-right corner.
+
+The host details overlay contains the following tabs:
+
+include::host-details-partial.asciidoc[]
+
+NOTE: These metrics are also available when viewing hosts on the **Inventory**
+page.
+
 [discrete]
 [[analyze-hosts-why-dashed-lines]]
 == Why am I seeing dashed lines in charts?

docs/en/observability/monitor-infra/host-details-partial.asciidoc

@@ -0,0 +1,150 @@
+// This is collapsed by default
+[%collapsible]
+.*Overview*
+====
+
+[role="screenshot"]
+image::images/metrics-overlay.png[Host metrics]
+
+The *Overview* tab displays metrics about the selected host, including CPU usage,
+normalized load, memory usage, disk usage, network traffic, and the log rate.
+
+Change the time range to view metrics over a specific period of time.
+
+Hover over a specific time period on a chart to compare the various metrics at that given time.
+
+====
+
+[%collapsible]
+.*Metadata*
+====
+
+[role="screenshot"]
+image::images/metadata-overlay.png[Host metadata]
+
+The *Metadata* tab lists all the meta information relating to the host:
+
+* Host information
+* Cloud information
+* Agent information
+
+All of this information can help when investigating events—for example, filtering by operating system or architecture.
+====
+
+[%collapsible]
+.*Processes*
+====
+
+[role="screenshot"]
+image::images/processes-overlay.png[Host processes]
+
+The *Processes* tab lists the total number of processes (`system.process.summary.total`) running on the host,
+along with the total number of processes in these various states:
+
+* Running (`system.process.summary.running`)
+* Sleeping (`system.process.summary.sleeping`)
+* Stopped (`system.process.summary.stopped`)
+* Idle (`system.process.summary.idle`)
+* Dead (`system.process.summary.dead`)
+* Zombie (`system.process.summary.zombie`)
+* Unknown (`system.process.summary.unknown`)
+
+The processes listed in the *Top processes* table are based on an aggregation of the top CPU and the top memory consuming processes.
+The number of top processes is controlled by `process.include_top_n.by_cpu` and `process.include_top_n.by_memory`.
+
+|=== 
+
+| *Command* | Full command line that started the process, including the absolute path to the executable, and all the arguments (`system.process.cmdline`).
+| *PID* | Process id (`process.pid`).
+| *User* | User name (`user.name`).
+| *CPU* | The percentage of CPU time spent by the process since the last event (`system.process.cpu.total.pct`).
+| *Time* | The time the process started (`system.process.cpu.start_time`). 
+| *Memory* | The percentage of memory (`system.process.memory.rss.pct`) the process occupied in main memory (RAM). 
+| *State* | The current state of the process and the total number of processes (`system.process.state`). Expected values are: `running`, `sleeping`, `dead`, `stopped`,
+`idle`, `zombie`, and `unknown`.
+
+|=== 
+====
+
+[%collapsible]
+.*Logs*
+====
+
+[role="screenshot"]
+image::images/logs-overlay.png[Host logs]
+
+The *Logs* tab displays logs relating to the host that you have selected. By default, the logs tab displays the following columns. 
+
+|=== 
+
+| *Timestamp* | The timestamp of the log entry from the `timestamp` field. 
+
+| *Message* | The message extracted from the document.
+The content of this field depends on the type of log message.
+If no special log message type is detected, the {ecs-ref}/ecs-base.html[Elastic Common Schema (ECS)]
+base field, `message`, is used.
+
+|=== 
+
+You can customize the logs view by adding a column for an arbitrary field you would like
+to filter by. For more information, refer to <<customize-stream-page,Customize Stream>>.
+To view the logs in the {logs-app} for a detailed analysis, click *Open in Logs*.
+====
+
+[%collapsible]
+.*Anomalies*
+====
+
+[role="screenshot"]
+image::images/anomalies-overlay.png[Anomalies]
+
+The *Anomalies* table displays a list of each single metric {anomaly-detect} job for the specific host. By default, anomaly
+jobs are sorted by time, showing the most recent jobs first. 
+
+Along with the name of each anomaly job, detected anomalies with a severity score equal to 50, or higher, are listed. These
+scores represent a severity of "warning" or higher in the selected time period. The *summary* value represents the increase between
+the actual value and the expected ("typical") value of the host metric in the anomaly record result.
+
+To drill down and analyze the metric anomaly, select *Actions -> Open in Anomaly Explorer* to view the
+{ml-docs}/ml-gs-results.html[Anomaly Explorer in {ml-app}]. You can also select *Actions -> Show in Inventory* to view the host
+Inventory page, filtered by the specific metric. 
+====
+
+[%collapsible]
+.*Osquery*
+====
+
+[IMPORTANT]
+=====
+You must have an active {fleet-guide}/elastic-agent-installation.html[{agent}] with an assigned agent policy
+that includes the {integrations-docs}/osquery_manager.html[Osquery Manager]
+integration and have Osquery {kibana-ref}/kibana-privileges.html[{kib} privileges] as a user.
+=====
+
+[role="screenshot"]
+image::images/osquery-overlay.png[Osquery]
+
+The *Osquery* tab allows you to build SQL statements to query your host data.
+You can create and run live or saved queries against
+the {agent}. Osquery results are stored in {es}
+so that you can use the {stack} to search, analyze, and
+visualize your host metrics. To create saved queries and add scheduled query groups,
+refer to {kibana-ref}/osquery.html[Osquery].
+
+//TODO: Get updated screen capture and make sure the example query is desribed in text
+//In the example above, we query for the top 5 memory hogs running on the host.
+//Under the *Results* tab, the total virtual memory size (`total_size` renamed to
+//`memory_used` to be a little more user friendly) is returned in descending order,
+//along with the process ID (`pid`), and the process path (`name`).
+
+To view more information about the query, click the *Status* tab. A query status can result in
+`success`, `error` (along with an error message), or `pending` (if the {agent} is offline).
+
+Other options include:
+
+* View in Discover to search, filter, and view information about the structure of host metric fields. To learn more, refer to {kibana-ref}/discover.html[Discover].
+* View in Lens to create visualizations based on your host metric fields. To learn more, refer to {kibana-ref}/lens.html[Lens].
+* View the results in full screen mode.
+* Add, remove, reorder, and resize columns.
+* Sort field names in ascending or descending order.
+====

docs/en/observability/monitor-infra/host-metrics.asciidoc

@@ -187,15 +187,11 @@ A high level indicates a situation of memory saturation for the host. For exampl
 
 **Field Calculation:**  `counter_rate(max(system.diskio.read.bytes), kql='system.diskio.read.bytes: *')`
 
-| **Disk Space Available**         | Disk space available.
-
-**Field Calculation:**  `average(system.filesystem.free)`
-
-| **Disk Space Availability (%)**  | Percentage of disk space available.
+| **Disk Usage - Available (%)**  | Percentage of disk space available.
 
 **Field Calculation:**  `1-average(system.filesystem.used.pct)`
 
-| **Disk Space Usage (%)**         | Percentage of disk space used.
+| **Disk Usage - Used (%)**         | Percentage of disk space used.
 
 **Field Calculation:**  `average(system.filesystem.used.pct)`