Using throttle filter, same events get the tag "throttled" and some others don't.
follow the content from throttle conf file:
filter {
throttle {
before_count => -1
after_count => 1
period => "86400" # 1 day
max_age => 172800 # 2 days
add_tag => [ "throttled" ]
key => "%{_id}%{message}"
}
}
Example:
I send this 4 following events logs:
{
"@timestamp": "2020-02-06T13:15:39.691Z",
"_id": "10b75bn7",
"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}
{
"@timestamp": "2020-02-06T13:15:44.163Z",
"_id": "10b75bn7",
"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}
{
"@timestamp": "2020-02-06T13:15:48.499Z",
"_id": "10b75bn7",
"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}
{
"@timestamp": "2020-02-06T13:15:52.879Z",
"_id": "10b75bn7",
"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}
after the filter I drop all events with the tag "throttled".
The problem is that only the second "Disable" log event get the tag "throttled", this way the second "Enable" log passes through the filter.