Logstash metric filter - help

August_rush · March 28, 2017, 2:50pm

The example log file contains a list of logs , i am trying to apply a metric filter to check the count of log-level==ERROR for every 5 s and if the count is greater than 1 then it should trigger an email, i am not sure , what is wrong here , but it's not working - using logstash 2.2.4

      input {
              file {
                path => "/var/log/logstash/example"
                start_position => beginning
              }
            }

    filter {
     grok{
       match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\s*\]" }
     }
     if [log-level] == "ERROR" {
       metrics {
           meter => [ "log-level" ]
           flush_interval => 5
           clear_interval => 5
          }
       }
    }
    output {
    if [log-level] == "ERROR" {
      if [log-level][count] < 1 {
        email {
            port => 25
            address => "mail.abc.com"
            authentication => "login"
            use_tls => true
            from => "alerts@logstash.com"
            subject => "logstash alert"
            to => "***@abc.com"
            via => "smtp"
            body => "here is the event line %{message}"
            debug => true
          }
        }
      }
    }

prodrg · March 28, 2017, 3:06pm

Can you please send the logs from Logstash? It's to check what kind of errors it is throwing

August_rush · March 28, 2017, 3:09pm

There are no errors in the logstash.log file
tail -n 4 logstash.log

{:timestamp=>"2017-03-28T10:33:11.727000-0400", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2017-03-28T10:33:11.727000-0400", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2017-03-28T10:33:33.451000-0400", :message=>"Starting pipeline", :id=>"base", :pipeline_workers=>2, :batch_size=>125, :batch_delay=>5, :max_inflight=>250, :level=>:info}
{:timestamp=>"2017-03-28T10:33:33.455000-0400", :message=>"Pipeline started", :level=>:info}

system · April 25, 2017, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Metrics filter stopped working after upgrade to logstash 2.2.x Logstash	4	944	July 6, 2017
Logstash filter "metrics" is not working! Logstash	6	1080	December 16, 2016
Would someone please paste a verbose sample of filter metrics? Logstash	1	567	July 6, 2017
Logstash metrics for different types? Logstash	3	667	July 6, 2017
Logstash metrics filter not working after logstash 2.2.0 upgrade Logstash	6	1595	July 6, 2017

Logstash metric filter - help

Related topics