Logstash Email throttle not working

I am able to generate mails based on events in log file but I am not able to throttle it.

below is my config file.

============================================
input {
beats {
port => 5044
}
}

filter {

if [type] == "hascript_log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts}|%{IPORHOST:hostname}|%{WORD:level}|%{GREEDYDATA:txt}" }
}

throttle {
	before_count => -1
	after_count => 1
	period => 60
	max_age => 120
	key => "%{message}"
	add_tag => "throttled"
}
if "throttled" in [tags] {
	drop { }
}

}
}

output {
stdout { codec => rubydebug
}

if [type] =="hascript_log" {

	elasticsearch { 
		index => "audit-%{+YYYY.MM.dd}"
		hosts => ["localhost:9200"] 
	}

	if "throttled" not in [tags] {
		email {
		  debug => true
		  address => "mail server ip"
		  port => 25
		  body => " This is notification mailto report error in HA configuration for \n\n Detailed Description \n\n\n  :\n'%{message}' \n\n\n"
		  from => "mail id"
		  subject => "Error in HA Configuration "
		  to => "Amit_Kashyap@DellTeam.com"
		}
	}
}

}

I also tried splitting the filter. one filter will grok the incoming request and second filter will throttle. but still getting more then 5 mails every minute.

here is the new config for filter.

filter {

if [type] == "hascript_log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts}|%{IPORHOST:hostname}|%{WORD:level}|%{GREEDYDATA:txt}" }
}
}
}

filter {
if [type] == "hascript_log" {
throttle {
before_count => -1
after_count => 1
period => 60
max_age => 120
key => "%{message}"
add_tag => "throttled"
}
if "throttled" in [tags] {
drop { }
}
}
}

any help would be really appreciated

After changing the value of key, it seems like throttle is working now

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.