I have following data:
source | processed_by_logstash | rate_15m
filebeat1 | logstash1 | 10
filebeat1 | logstash2 | 20.5
filebeat2 | logstash1 | 20.1
filebeat2 | logstash2 | 20.6
The source is the system/agent sending the logs, processed_by_logstash stores the logstash name which processed the logs, rate_15m is the rate per sec during last 15 minutes.
I want to know the rates per source - in this case 30.5 for filebeat1, 40.7 for filebeat2. How to get these values? I am able to use multiple aggregations to get average of rate_15m values for each source/processed_by_logstash combination, but in this case the value is 1/2 half of what I want. Also the number of processed_by_logstash per source changes, so I can not simple multiply the result by 2.
Thanks.