Metrics do nothing in my file

Elastic Stack Logstash
1

I am trying to count the number of logs that appear in my file. Now I am using a file with logs as an example, but later I will use a syslog, and I want it to count the logs that arrive in 2 minutes.

image
image1861×76 6.66 KB 

if [msgFinal] =~ /(?i:IPS Prevention Alert)/{
metrics {
			meter => ["logs_count"]			
			flush_interval => 120
			clear_interval => 120
			add_tag => ["ATTACK"]
		}
}

But it seems that metrics does not count anything or add the tag to me.
When I try to print an output, nothing appears.

output{
	if "ATTACK" in [tags]{
		stdout{
			codec => line{
				format => "hay: %{[logs_count][count]}"
			}
		}
}}
2

Are you waiting two minutes for the metric to be generated? I suggest you reduce the intervals to maybe 2 seconds and switch to a stdin input. Then paste messages in slowly.

The metrics filter does not modify any of the events that pass through the filter. Every 5 seconds it checks to see whether it is time to generate a new event that contains the values of the counters, and then checks to see if it is time to clear the counters. It will then process the add_tag option and apply it to the newly generated event.

If try the experiment I suggested in the first paragraph that may make it clearer what the filter is doing.

3

Thanks so much! you're right. I have to wait 2 minutes for the result to be printed on the screen.

image
image1063×39 2.55 KB

Now I have to check if that wait can be a problem when the logs are arriving continuously. My idea is to check if 50 logs of a specific type arrive in 2 minutes, but I have to check it over and over and over again.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.