Heavy queuing on logstash nodes

suyog1 · September 26, 2020, 10:01am

Hello Team,

I have below architecture in place.

400-800 EC2                        ---> AWS NLB ---> 10 Logstash EC2s                      --->     14 EC2 of data node 
with filebeat                                                                                        i3.2xlarge (3 masters)   
                                                     100GB SSD with 500IOPS                                                     for queue.

Every day in evening we serve huge traffic which generates 80K events per/sec on logstash nodes for 30 mins, at the same time I can see elasticsearch with indexing rate of 150K docs/sec.

In this time filebeat sends data for 3 different indices along with 4th index being indexed by AWS lambda.
Out of these 3 index on which filebeat sending data, I need 1 index which should give me data for almost realtime.

Can someone suggest me how can I achieve this on this big scale ?
Daily ingestion is around 1.5 - 3 TB
For that 30 min window logstash consume SSD disk for queue with 11-15GB utilization on almost all logstash nodes.

warkolm · September 28, 2020, 6:04am

Are you asking how to increase ingestion on Elasticsearch or Logstash?

suyog1 · September 28, 2020, 6:19am

I have doubt on logstash throughput along with elasticsearch ingestion.
First,
Why my group of logstash instances queuing so much of data ?

warkolm · September 28, 2020, 6:21am

It will queue data if Elasticsearch cannot cope with the load.

suyog1 · September 28, 2020, 6:23am

But at the same time, I have few lambdas who ingest logs in elasticsarch, they are able to ingest data with 20 sec of lag means almost realtime, however logstash isn't.

suyog1 · September 28, 2020, 7:20am

can someone help here ?

system · October 26, 2020, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.