The event timestamp is modified initially using
date {
match => [ "date","dd MMM YYYY HH:mm:ss,SSS"]
locale => "es"
}
Im using throttle, to tag log events with a tag if the events occurs more than 100 times per 10 minutes. Below is the configuration. I was expecting it to be aggregated based on the date field above. However, it is till aggregating based on system time.
throttle {
before_count => -1
after_count => 100
period => 600
key => "%{AlertType}%{serviceName}"
add_tag => "throttled"
}
In other words, I just wanted to know if there is any way to make throttle aggregate the event counts based on the date/@timestamp field associated with the event rather than aggregating based on time at which the event is received.
As in while testing, if I feed 1 whole days log and the processing gets over in log stash say in 2 minutes, all the events would come within the 10 minute interval, even though the log file is for an entire day.