Logstash Email throttle not working


(Amit Kashyap) #1

I am able to generate mails based on events in log file but I am not able to throttle it.

below is my config file.

============================================
input {
beats {
port => 5044
}
}

filter {

if [type] == "hascript_log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts}|%{IPORHOST:hostname}|%{WORD:level}|%{GREEDYDATA:txt}" }
}

throttle {
	before_count => -1
	after_count => 1
	period => 60
	max_age => 120
	key => "%{message}"
	add_tag => "throttled"
}
if "throttled" in [tags] {
	drop { }
}

}
}

output {
stdout { codec => rubydebug
}

if [type] =="hascript_log" {

	elasticsearch { 
		index => "audit-%{+YYYY.MM.dd}"
		hosts => ["localhost:9200"] 
	}

	if "throttled" not in [tags] {
		email {
		  debug => true
		  address => "mail server ip"
		  port => 25
		  body => " This is notification mailto report error in HA configuration for \n\n Detailed Description \n\n\n  :\n'%{message}' \n\n\n"
		  from => "mail id"
		  subject => "Error in HA Configuration "
		  to => "Amit_Kashyap@DellTeam.com"
		}
	}
}

}


(Amit Kashyap) #2

I also tried splitting the filter. one filter will grok the incoming request and second filter will throttle. but still getting more then 5 mails every minute.

here is the new config for filter.

filter {

if [type] == "hascript_log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts}|%{IPORHOST:hostname}|%{WORD:level}|%{GREEDYDATA:txt}" }
}
}
}

filter {
if [type] == "hascript_log" {
throttle {
before_count => -1
after_count => 1
period => 60
max_age => 120
key => "%{message}"
add_tag => "throttled"
}
if "throttled" in [tags] {
drop { }
}
}
}


(Amit Kashyap) #3

any help would be really appreciated


(Amit Kashyap) #4

After changing the value of key, it seems like throttle is working now


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.