Throttle Filter Logstash

Bigboy0706 · May 6, 2022, 8:12am

Hi
As there are some deduplicated log ingressing into logstash
That's why I would like to use the Throttle Filter to filter out the log
The config is listed as below

filter {
     if [name] == "pack_incident_response_process_events" {
        throttle {
          before_count => -1
          after_count => 1
          period => 10
          max_age => 20
          key => "%{hostIdentifier_s}%{columns_cmdline_s}%{columns_path_s}"
          add_tag => "throttledd"
        }
  }

But for the result, only one event is able to shown-up without the throttledd tags which mean the other different log had been filtered-out if I drop the tags = throttledd, but i just want to filter out the same cmdline log.

Please advise.

Thanks

Badger · May 6, 2022, 4:47pm

The throttle filter adds a tag to indicate that events have the same [key] value. What to do with that information is left to you. For example, you can

if "throttled" in [tags] { drop {} }

to discard the duplicates if that is what you want.

system · June 3, 2022, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline throttle not working properly Logstash	1	433	March 5, 2020
Throttle filter: Notify on throttle Logstash	9	1077	February 21, 2021
Throttle Moving Window Logstash	2	395	August 18, 2017
Throttle filter is not throttling correctly Logstash	1	430	February 24, 2021
Creating a New Event and Adding Tags in a Filter Programmatically Logstash	2	502	July 6, 2017

Throttle Filter Logstash

Related topics