Pipeline throttle not working properly

Henrique_Gossi · February 6, 2020, 2:22pm

Using throttle filter, same events get the tag "throttled" and some others don't.

follow the content from throttle conf file:

filter {
  throttle {
    before_count => -1
    after_count => 1
    period => "86400" # 1 day
    max_age => 172800 # 2 days
    add_tag => [ "throttled" ]
    key => "%{_id}%{message}"
  }
}

Example:

I send this 4 following events logs:

{
	"@timestamp": "2020-02-06T13:15:39.691Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:44.163Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:48.499Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:52.879Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}

after the filter I drop all events with the tag "throttled".
The problem is that only the second "Disable" log event get the tag "throttled", this way the second "Enable" log passes through the filter.

system · March 5, 2020, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Throttle Filter Logstash Logstash	2	199	June 3, 2022
Throttle filter is not throttling correctly Logstash	1	428	February 24, 2021
Throttle filter: Notify on throttle Logstash	9	1070	February 21, 2021
How logstash throttle filter works with auto scaling and pipeline workers? Logstash	5	740	May 31, 2018
Throttling plugin not working with lot of messages Logstash	11	707	May 9, 2022

Pipeline throttle not working properly

Related Topics