Logstash metric filter - help

August_rush · March 28, 2017, 2:50pm

The example log file contains a list of logs , i am trying to apply a metric filter to check the count of log-level==ERROR for every 5 s and if the count is greater than 1 then it should trigger an email, i am not sure , what is wrong here , but it's not working - using logstash 2.2.4

      input {
              file {
                path => "/var/log/logstash/example"
                start_position => beginning
              }
            }

    filter {
     grok{
       match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:log-level}\s*\]" }
     }
     if [log-level] == "ERROR" {
       metrics {
           meter => [ "log-level" ]
           flush_interval => 5
           clear_interval => 5
          }
       }
    }
    output {
    if [log-level] == "ERROR" {
      if [log-level][count] < 1 {
        email {
            port => 25
            address => "mail.abc.com"
            authentication => "login"
            use_tls => true
            from => "alerts@logstash.com"
            subject => "logstash alert"
            to => "***@abc.com"
            via => "smtp"
            body => "here is the event line %{message}"
            debug => true
          }
        }
      }
    }

prodrg · March 28, 2017, 3:06pm

Can you please send the logs from Logstash? It's to check what kind of errors it is throwing

August_rush · March 28, 2017, 3:09pm

There are no errors in the logstash.log file
tail -n 4 logstash.log

{:timestamp=>"2017-03-28T10:33:11.727000-0400", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2017-03-28T10:33:11.727000-0400", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2017-03-28T10:33:33.451000-0400", :message=>"Starting pipeline", :id=>"base", :pipeline_workers=>2, :batch_size=>125, :batch_delay=>5, :max_inflight=>250, :level=>:info}
{:timestamp=>"2017-03-28T10:33:33.455000-0400", :message=>"Pipeline started", :level=>:info}

system · April 25, 2017, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.