Need help with Visualisation - highest percentage of PQ current size FOR THE LAST 60 mins

Whoami1980 · March 16, 2026, 10:33am

We need help in the following. This is what we have configure below.

However how can we see the top 10 records in a table
ORDER BY highest percentage of PQ current size FOR THE LAST 60 mins

Data View Records

host.hostname
logstash.pipeline.name

logstash.pipeline.info.batch.size
logstash.pipeline.info.workers

logstash.pipeline.total.flow.queue_backpressure.last_1_minute
logstash.pipeline.total.flow.worker_utilization.current
logstash.pipeline.total.queues_size.bytes

Visualization configuration

Table Logstash Stack Monitoring Metrics

Metrics

Worker Count
Batch Size
Worker Utilization (Max %)
PQ Size (Max)
Backpressure (Max)

OR is there a better way or query to go about doing this?

Kindly advice. Thanks in advance

Tortoise · March 17, 2026, 12:09pm

Hello @Whoami1980

We will need to know more about data & ELK version.

I believe we can even use ES|QL like below if it works for you :

Data Used :

POST test-logstash-metrics/_bulk
{ "index": {} }{ "@timestamptimestamp": "2026-03-17T10:00:00Z", "host": { "hostname": "host1" }, "logstash": { "pipeline": { "name": "pipeA", "total": { "queues_size": { "bytes": 200000000 }, "flow": { "worker_utilization": { "current": 0.65 }, "queue_backpressure": { "last_1_minute": 0.10 } } }, "info": { "workers": 2, "batch": { "size": 125 } } } } }{ "index"@timestamp {} }{ "@timestamp": "2026-03-17T10:05:00Z", "host": { "hostname": "host1" }, "logstash": { "pipeline": { "name": "pipeA", "total": { "queues_size": { "bytes": 400000000 }, "flow": { "worker_utilization": { "current": 0.75 }, "queue_backpressure": { "last_1_minute": 0.20 } } }, "info": { "workers": 2, "batch": { "size": 125 } } } } }@timestamp "index": {} }{ "@timestamp": "2026-03-17T10:10:00Z", "host": { "hostname": "host2" }, "logstash": { "pipeline": { "name": "pipeB", "total": { "queues_size": { "bytes": 800000000 }, "flow": { "worker_utilization": { "current": 0.85 }, "queue_backpressure": { "last_1_minute": 0.30 } } }, "info": { "workers": 4, "batch": { "size": 200 @timestamp } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:15:00Z", "host": { "hostname": "host2" }, "logstash": { "pipeline": { "name": "pipeB", "total": { "queues_size": { "bytes": 900000000 }, "flow": { "worker_utilization": { "current": 0.90 }, "queue_backpressure": { "last_1_minute": 0.35 } } }, "info": { "workers": 4, "batch": { "si@timestampe": 200 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:20:00Z", "host": { "hostname": "host3" }, "logstash": { "pipeline": { "name": "pipeC", "total": { "queues_size": { "bytes": 100000000 }, "flow": { "worker_utilization": { "current": 0.40 }, "queue_backpressure": { "last_1_minute": 0.05 } } }, "info": { "workers": 1, "bat@timestamph": { "size": 50 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:25:00Z", "host": { "hostname": "host3" }, "logstash": { "pipeline": { "name": "pipeC", "total": { "queues_size": { "bytes": 150000000 }, "flow": { "worker_utilization": { "current": 0.50 }, "queue_backpressure": { "last_1_minute": 0.08 } } }, "info": { "workers"@timestamp 1, "batch": { "size": 50 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:30:00Z", "host": { "hostname": "host4" }, "logstash": { "pipeline": { "name": "pipeD", "total": { "queues_size": { "bytes": 700000000 }, "flow": { "worker_utilization": { "current": 0.70 }, "queue_backpressure": { "last_1_minute": 0.25 } } }, "info": { "@timestamporkers": 3, "batch": { "size": 150 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:35:00Z", "host": { "hostname": "host4" }, "logstash": { "pipeline": { "name": "pipeD", "total": { "queues_size": { "bytes": 950000000 }, "flow": { "worker_utilization": { "current": 0.95 }, "queue_backpressure": { "last_1_minute": 0.40 } } }, "i@timestampfo": { "workers": 3, "batch": { "size": 150 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:40:00Z", "host": { "hostname": "host5" }, "logstash": { "pipeline": { "name": "pipeE", "total": { "queues_size": { "bytes": 300000000 }, "flow": { "worker_utilization": { "current": 0.60 }, "queue_backpressure": { "last_1_minute": 0.15 @timestamp } }, "info": { "workers": 2, "batch": { "size": 100 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:45:00Z", "host": { "hostname": "host5" }, "logstash": { "pipeline": { "name": "pipeE", "total": { "queues_size": { "bytes": 500000000 }, "flow": { "worker_utilization": { "current": 0.65 }, "queue_backpressure": { "last_1_minut@timestamp": 0.18 } } }, "info": { "workers": 2, "batch": { "size": 100 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:50:00Z", "host": { "hostname": "host1" }, "logstash": { "pipeline": { "name": "pipeF", "total": { "queues_size": { "bytes": 850000000 }, "flow": { "worker_utilization": { "current": 0.88 }, "queue_backpressure": { "las@timestamp_1_minute": 0.33 } } }, "info": { "workers": 5, "batch": { "size": 250 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:52:00Z", "host": { "hostname": "host2" }, "logstash": { "pipeline": { "name": "pipeG", "total": { "queues_size": { "bytes": 600000000 }, "flow": { "worker_utilization": { "current": 0.77 }, "queue_backpressure@timestamp: { "last_1_minute": 0.22 } } }, "info": { "workers": 3, "batch": { "size": 180 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:54:00Z", "host": { "hostname": "host3" }, "logstash": { "pipeline": { "name": "pipeH", "total": { "queues_size": { "bytes": 920000000 }, "flow": { "worker_utilization": { "current": 0.93 }, "queue_bac@timestamppressure": { "last_1_minute": 0.37 } } }, "info": { "workers": 6, "batch": { "size": 300 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:55:00Z", "host": { "hostname": "host4" }, "logstash": { "pipeline": { "name": "pipeI", "total": { "queues_size": { "bytes": 250000000 }, "flow": { "worker_utilization": { "current": 0.55 }, @timestampqueue_backpressure": { "last_1_minute": 0.12 } } }, "info": { "workers": 2, "batch": { "size": 90 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:56:00Z", "host": { "hostname": "host5" }, "logstash": { "pipeline": { "name": "pipeJ", "total": { "queues_size": { "bytes": 780000000 }, "flow": { "worker_utilization": { "current": @timestamp.82 }, "queue_backpressure": { "last_1_minute": 0.28 } } }, "info": { "workers": 4, "batch": { "size": 210 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:57:00Z", "host": { "hostname": "host1" }, "logstash": { "pipeline": { "name": "pipeK", "total": { "queues_size": { "bytes": 990000000 }, "flow": { "worker_utilization": { "c@timestamprrent": 0.97 }, "queue_backpressure": { "last_1_minute": 0.45 } } }, "info": { "workers": 8, "batch": { "size": 500 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:58:00Z", "host": { "hostname": "host2" }, "logstash": { "pipeline": { "name": "pipeL", "total": { "queues_size": { "bytes": 120000000 }, "flow": { "worker_utilization": { "current": 0.35 }, "queue_backpressure": { "last_1_minute": 0.05 } } }, "info": { "workers": 1, "batch": { "size": 60 } } } } }{ "index": {} }{ "@timestamp": "2026-03-17T10:59:00Z", "host": { "hostname": "host3" }, "logstash": { "pipeline": { "name": "pipeM", "total": { "queues_size": { "bytes": 660000000 }, "flow": { "worker_utilization": { "current": 0.78 }, "queue_backpressure": { "last_1_minute": 0.26 } } }, "info": { "workers": 3, "batch": { "size": 175 } } } } }

Query used :

FROM test-logstash-metrics
| WHERE @timestamp > NOW() - 60 minutes
| STATS 
    max_pq_bytes     = MAX(logstash.pipeline.total.queues_size.bytes),
    max_utilization  = MAX(logstash.pipeline.total.flow.worker_utilization.current),
    max_backpressure = MAX(logstash.pipeline.total.flow.queue_backpressure.last_1_minute),
    max_workers      = MAX(logstash.pipeline.info.workers),
    max_batch        = MAX(logstash.pipeline.info.batch.size)
  BY host.hostname, logstash.pipeline.name
| EVAL pq_percent = (max_pq_bytes / 1073741824.0) * 100
| SORT pq_percent DESC
| LIMIT 10

Result :

Thanks!!

Whoami1980 · March 18, 2026, 4:14am

@Tortoise Thanks for the assistance. Our elastisearch version is 8.19.10

In regards to the query need some basic guidance here.

Visualization configuration shows Table - Logstash Stack Monitoring Metrics

"FROM Logstash.Stack.Monitoring.Metrics" gives me Unknown index [Logstash.Stack.Monitoring.Metrics]

I went to the cluster to look for the indices but to no avail. KIndly advice

Tortoise · March 18, 2026, 7:06am

Hello @Whoami1980

The table visualization must be created from a dataview. We will have to find that dataview than from discover we find that dataview , manage this dataview this will show the index pattern from which this dataview is created. We will have to use this index pattern in the query for ES|QL.

Thanks!!

Whoami1980 · March 18, 2026, 7:39am

@Tortoise

i have verified.
Data view = "Logstash Stack Monitoring Metrics"

POST /_query?format=txt
{
  "query": """
  FROM Logstash Stack Monitoring Metrics
|   WHERE @timestamp > NOW() - 60 minutes
|   STATS 
      max_pq_bytes     = MAX(logstash.pipeline.total.queues_size.bytes),
      max_utilization  = MAX(logstash.pipeline.total.flow.worker_utilization.current),
      max_backpressure = MAX(logstash.pipeline.total.flow.queue_backpressure.last_1_minute),
      max_workers      = MAX(logstash.pipeline.info.workers),
      max_batch        = MAX(logstash.pipeline.info.batch.size)
    BY host.hostname, logstash.pipeline.name
|   EVAL pq_percent = (max_pq_bytes / 1073741824.0) * 100
|   SORT pq_percent DESC
|   LIMIT 10
  """
}

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "line 2:17: mismatched input 'Stack' expecting {<EOF>, '|', ',', '[', 'metadata'}"
      }
    ],
    "type": "parsing_exception",
    "reason": "line 2:17: mismatched input 'Stack' expecting {<EOF>, '|', ',', '[', 'metadata'}",
    "caused_by": {
      "type": "input_mismatch_exception",
      "reason": null
    }
  },
  "status": 400
}

Tortoise · March 18, 2026, 7:49am

Hello @Whoami1980

Just to be sure as have never seen the index name with such pattern :

Click on Manage this data view

So from above the index pattern is kibana_sample_data_ecommerce

Error similar to you :

If we use correct index pattern :

Thanks!!

Whoami1980 · March 18, 2026, 8:40am

The data view name is correct. with your steps i have found the index pattern. The query have run successfully. However looking through the results. some pq_percent values contains null or have abnormal percentage like 1999%

max_pq_bytes  |max_utilization|max_backpressure|  max_workers  |   max_batch   | host.hostname |    logstash.pipeline.name    |    pq_percent    
---------------+---------------+----------------+---------------+---------------+---------------+------------------------------+------------------
21414586420    |99.01          |0.514           |16             |1000           |ABCDEFGHIJKLM05|network-netflow-agent         |1994.3887759000063
9473071805     |98.98          |0.371           |16             |1000           |ABCDEFGHIJKLM04|network-netflow-agent         |882.2485622949898 
null           |null           |null            |2              |125            |ABCDEFGHIJKLM07|storage_dell_isilon           |null              
null           |null           |null            |2              |125            |ABCDEFGHIJKLM07|storage_cisco_ndfc            |null

Tortoise · March 18, 2026, 1:02pm

Hello @Whoami1980

I am not sure if you are using the same query because as per the data in your environment you will have to review and change the query. I had attached the reference data I used to create the query if your data matches as it is than no issues else need to re-work on the query.

Thanks!!

Whoami1980 · March 19, 2026, 2:38am

@Tortoise

This is the query that we use. no change

POST /_query?format=txt
{
  "query": """
  FROM ABCD*:metrics-logstash*
|   WHERE @timestamp > NOW() - 60 minutes
|   STATS 
      max_pq_bytes     = MAX(logstash.pipeline.total.queues.current_size.bytes),
      max_utilization  = MAX(logstash.pipeline.total.flow.worker_utilization.current),
      max_backpressure = MAX(logstash.pipeline.total.flow.queue_backpressure.last_1_minute),
      max_workers      = MAX(logstash.pipeline.info.workers),
      max_batch        = MAX(logstash.pipeline.info.batch_size)
    BY host.hostname, logstash.pipeline.name
|   EVAL pq_percent = (max_pq_bytes / 1073741824.0) * 100
|   SORT pq_percent DESC
|   LIMIT 100
  """
}

The results as per last reply but why are we getting abnormal or null pq_percent

Whoami1980 · March 19, 2026, 4:28am

@Tortoise

I think the results are ok or axcurate. just not sure how we can deal with the high pq_percent . i am assuming here we are ingesting too much data espeically netflow or maybe i am wrong

 max_pq_bytes  |max_utilization|max_backpressure|  max_workers  |   max_batch   | host.hostname |   logstash.pipeline.name    |    pq_percent    
---------------+---------------+----------------+---------------+---------------+---------------+-----------------------------+------------------
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |null           |null            |null           |null           |null           |null                         |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
null           |0.0            |0.0             |2              |125            |			|server_ntp                   |null              
null           |null           |null            |null           |null           |			|snmp-poll-ise-cisco          |null              
null           |0.0            |0.0             |1              |400            |			|generic-snmp-trap-new        |null              
109398511173   |99.02          |0.478           |16             |1000           |			|network-netflow-agent        |10188.530308473855
96894371358    |99.06          |0.54            |16             |1000           |			|network-netflow-agent        |9023.991539888084 
67746499558    |99.18          |0.0             |16             |1000           |			|network-netflow-agent        |6309.384438954294 
63881529337    |98.81          |0.468           |16             |1000           |			|network-netflow-agent        |5949.431037250906 
55889090828    |98.75          |0.627           |16             |1000           |			|network-netflow-agent        |5205.077196285129 
39436432256    |98.72          |0.502           |16             |1000           |			|network-netflow-agent        |3672.8039622306824
33366684074    |98.81          |0.649           |16             |1000           |			|network-netflow-agent        |3107.5146118178964
22296851339    |98.96          |0.548           |16             |1000           |			|network-netflow-agent        |2076.556099485606 
21476246016    |99.67          |0.296           |8              |1000           |			|network-cisco-ftd            |2000.1312732696533
11105622619    |95.62          |9.529           |16             |1000           |			|system                       |1034.2917050234973
11025044615    |99.74          |0.093           |8              |1000           |			|network-cisco-ftd            |1026.7872936092317
8222511646     |98.93          |12.53           |16             |1000           |			|system_windows               |765.7810715958476 
7180350372     |99.47          |0.682           |16             |1000           |			|network-fortigate            |668.7222395092249 
6600029351     |99.28          |3.071           |16             |1000           |			|system_windows               |614.6756327711046 
6413602329     |99.23          |4.938           |16             |1000           |			|system_windows               |597.3132633604109 
5991907597     |98.89          |5.441           |16             |1000           |			|system_windows               |558.0398810096085 
5953351446     |99.67          |0.064           |8              |1000           |			|network-cisco-ftd            |554.4490596279502 
5913354891     |99.64          |0.262           |2              |500            |			|network-infoblox             |550.7240901701152 
4772000000     |99.48          |3.558           |16             |1000           |			|system_windows               |444.42713260650635
4700235372     |99.02          |2.7             |16             |1000           |			|system_windows               |437.74353079497814
3663256673     |99.05          |1.474           |16             |1000           |			|system_windows               |341.1673636175692 
3382254554     |98.64          |7.915           |16             |1000           |			|system_windows               |314.9970019236207 
3334399747     |98.9           |4.172           |16             |1000           |			|system_windows               |310.540175717324  
2665625266     |98.5           |8.506           |16             |1000           |			|system_windows               |248.25569856911898
2352279641     |98.73          |0.933           |16             |1000           |			|system_windows               |219.07311314716935
2285006777     |99.58          |0.51            |16             |1000           |			|system_windows               |212.80783945694566
2031468499     |99.37          |0.656           |16             |1000           |			|system_windows               |189.19524727389216
1638290506     |99.3           |0.888           |16             |1000           |			|system_windows               |152.5776932016015 
1539422861     |99.28          |1.233           |16             |1000           |			|system_windows               |143.3699262328446 
1258663732     |99.68          |0.107           |1              |400            |			|generic-snmp-trap            |117.22219474613667

Tortoise · March 19, 2026, 6:02am

Hello @Whoami1980

Please check the denominator which is set to 1 GB :

EVAL pq_percent = (max_pq_bytes / 1073741824.0) * 100

you need to find the denominator value in your environment & add it go get correct pq_percent.

Or one way is check the original table you have in your environment and see how pq_percent was calculated to find the denominator field.

Thanks!!

Whoami1980 · March 19, 2026, 7:09am

@Tortoise

I figure out that the denominator should be
"logstash.pipeline.total.queues.max_size.bytes"

The issue i am facing now is below divide return me with 0
EVAL pq_percent = (max_pq_bytes / max_queues_size) * 100

POST /_query?format=txt
{
  "query": """
  FROM ABCD*:metrics-logstash*
|   WHERE @timestamp > NOW() - 60 minutes
    AND (logstash.pipeline.total.queues.current_size.bytes) IS NOT NULL
    AND (logstash.pipeline.total.queues.max_size.bytes) > 0
|   STATS 
      max_pq_bytes     = MAX(logstash.pipeline.total.queues.current_size.bytes),
      max_workers      = MAX(logstash.pipeline.info.workers),
      max_batch        = MAX(logstash.pipeline.info.batch_size),
      max_queues_size = MAX(logstash.pipeline.total.queues.max_size.bytes)
    BY host.hostname, logstash.pipeline.name
|   
    EVAL pq_percent = (max_pq_bytes / max_queues_size) * 100
|   SORT pq_percent DESC
|   LIMIT 100
    """
}

max_pq_bytes  |  max_workers  |   max_batch   |max_queues_size| host.hostname |                     logstash.pipeline.name                     |  pq_percent   
---------------+---------------+---------------+---------------+---------------+----------------------------------------------------------------+-----------
78446433       |2              |500            |32212254720    |			|network-cisco-san                                               |0              
375256021      |8              |500            |32212254720    |			|snmp-poll-fw-fortigate                                          |0              
1              |2              |500            |32212254720    |			|network-cisco-aci                                               |0

Tortoise · March 19, 2026, 7:21am

Hello @Whoami1980

you can try :

EVAL pq_percent = ROUND((TO_DOUBLE(max_pq_bytes) / max_queues_size) * 100, 2)

Thanks!!

Whoami1980 · March 19, 2026, 7:43am

nice. that works though i still dont understand the magic.
but will remember this by hard memory for now.

btw i assume we can use this esql query to create an alert?
instead of manually running this on devtools

Tortoise · March 19, 2026, 8:02am

Hello ,

it depends on the requirement but yes there is an option :

Thanks!!

Whoami1980 · March 19, 2026, 9:10am

@Tortoise Thanks for the assistance. Very much appreciated

Topic		Replies	Views
How to calculate quantile from histogram bucket metrics Kibana	6	3751	November 1, 2019
Logstash creates page file size that reaches its limit causing other pages to not be created Logstash docker	12	850	February 29, 2024
System.process.cpu.total.pct Output Clarifications Kibana	7	3847	May 23, 2017
Marvel - Total Queries Per Day Elasticsearch	5	1377	July 6, 2017
KIbana - Elasticsearch : Request time out after 3000ms Elasticsearch	32	11971	May 10, 2018

Need help with Visualisation - highest percentage of PQ current size FOR THE LAST 60 mins

Related topics