Logstash events count and get alert

I want to count events in Logstash and get me alert if events hit more than 10 times within 2mins.

E.g. I have a log like below.

Feb 19 15:22:01 DEVICE-01 Device is online.
Feb 19 15:22:01 DEVICE-02 Device is online.
Feb 19 15:22:01 DEVICE-03 Device is online.
Feb 19 15:22:01 DEVICE-03 Device is offline.
Feb 19 15:22:02 DEVICE-01 Device is offline.
Feb 19 15:22:02 DEVICE-01 Device is online.

I have multiple devices sending events to the Logstash server and I want to get alerts through email if it hits the defined count value.
Like, If "Device-01" comes online more than 10 times within 2min then it should notify me through email mentioning the Device name in the email body. I managed to get an alert if only 1 device is available but couldn't succeed in multiple devices log.

I am using metrics filter here.

filter {
  if "online" in [device_msg] {
    metrics {
      meter => [ "events" ]
      flush_interval => 120
      clear_interval => 120
      add_tag => "events"
    }
  }
}

output {
    if "events" in [tags] {
    if [events][count] > 10 {
          email {
      to => 'me@domain.com'
      from => 'monitor@domain.com'
      subject => 'Device - ALert'
      body => "[ %{log_timestamp} ]\nDeviceName: %{logsource} (%{host})\nMessage: %{device_msg}"
      domain => 'smtp.domain.com'
      port => 25
    }
    }
  }

Email I received.

[ %{log_timestamp} ]
DeviceName: %{logsource} (%{host})
Message: %{device_msg}

Hello. I dont have the biggest knowledge about this.
But i've already seen something about the 'throttle filter plugin'.
Maybe you should take a look:
Throttle filter plugin | Logstash Reference [7.11] | Elastic

Maybe there is a better or easier way to do it. Hope it helps

If the sprintf references were not substituted that suggests the field did not exist. How are you parsing out log_timestamp, logsource etc.?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.