Hi All ,
I have setup which is working fine. but when i am trying to send conditional email using throttle its not working.
Please find the below config i am using,
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "mHood" {
multiline {
pattern => "^\s"
what => "previous"
}
grok {
match => { "message"=> "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:level} [%{DATA:thread}]%{DATA:classname}: %{GREEDYDATA:logdata}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_tag => [ "level_%{level}" ]
}
date {
match => [ "logdate", "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}
if "Got ping response for sessionid" in [message] {
grok {
match => { "message"=> "%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:level} [%{DATA:thread}]%{DATA:classname}: %{GREEDYDATA:logdata}" }
add_tag => [ "got_ping_1" ] }
}
if "got_ping_1" in [tags] {
throttle {
before_count => 10
after_count => 15
period => 3600
key => "%{message}"
add_tag => "throttled_got_ping_1"
}
}
}
output {
if "throttled_got_ping_1" not in [tags] {
if "got_ping_1" in [tags] {
email {
from => "logstash.alert@abc"
subject => "Logstash Alert 2 "
to => "dnyaneshwar.sonawane@abc.com"
via => "smtp"
body => "Here is the event line that occured: %{message}"
htmlbody => "htmlbody commented<!-- some --
Logstash alert
Full Event
}
}}
elasticsearch { host => localhost }
}
throttle tags being created properly but throttle emails are not being generated .
can anyone suggest what i am missing ?
Thanks
Dnyaneshwar