Pipeline throttle not working properly

Henrique_Gossi · February 6, 2020, 2:22pm

Using throttle filter, same events get the tag "throttled" and some others don't.

follow the content from throttle conf file:

filter {
  throttle {
    before_count => -1
    after_count => 1
    period => "86400" # 1 day
    max_age => 172800 # 2 days
    add_tag => [ "throttled" ]
    key => "%{_id}%{message}"
  }
}

Example:

I send this 4 following events logs:

{
	"@timestamp": "2020-02-06T13:15:39.691Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:44.163Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:48.499Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Enable by 'admin' from '192.168.234.9' using 'GUI'"
}

{
	"@timestamp": "2020-02-06T13:15:52.879Z",
	"_id": "10b75bn7",
	"message": "Security Policy 'Filebeat_LAN' was Disable by 'admin' from '192.168.234.9' using 'GUI'"
}

after the filter I drop all events with the tag "throttled".
The problem is that only the second "Disable" log event get the tag "throttled", this way the second "Enable" log passes through the filter.

system · March 5, 2020, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Throttle Filter Logstash Logstash	2	201	June 3, 2022
Throttle Moving Window Logstash	2	395	August 18, 2017
Throttle filter is not throttling correctly Logstash	1	430	February 24, 2021
Throttle filter: Notify on throttle Logstash	9	1077	February 21, 2021
Logstash tag events if it occurs more than certain limit Logstash	2	699	July 6, 2017

Pipeline throttle not working properly

Related topics