How is Logstash Throughput Calculated in Stack Monitoring?

I'm trying to recreate the stack monitoring page for Logstash 7.6 in a dashboard , specifically so that I can see throughput for a physical node that has multiple Logstash instances deployed on it, as shown in another post.

Right now I get three choices for viewing Logstash document throughput:

• Throughput for the cluster (which contains multiple physical nodes - each with their own multiple instances) - Not granular enough
• Throughput per instance - too granular as many of these are running on a physical node
• Throughput per pipeline per instance - too granular

I've opened up the .monitoring-logstash-* index pattern and tried to get throughput per physical machine by calculating the rates of the field logstash_stats.events.in, but these numbers are way too high.
What field in this index is being used to determine actual document index rate by the Logstash service?

Here's an example of me trying to recreate the Logstash Stack Monitoring 'Events Received Rate (/s)':

image1864×906 100 KB

But these numbers are way too high - there's no way I'm receiving 70M docs every 30s on one physical machine, which is also way higher than I see on the overview page as well..:

I was able to figure it out after reviewing the fields available in the logstash monitoring index. If anyone else tries to recreate this, remember a few things;

• You may have to add on some pipeline filtering - I'm only running one pipeline across many instances of logstash so I didn't address any pipeline stuff
• I'm running multiple Logstash instances per host (hence the need for a custom monitoring solution). If you're only running one instance per physical but still somehow find this helpful, you can ignore the cardinality part - or don't and it'll just equal 1..
  Here's what the end result looks like:
  
  

  image1866×244 87.4 KB

and here's the config:

image1848×977 60.3 KB

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.