Throttle filter per value?

Happy new year to everybody.

I have a question regarding the throttle filter. I need to rate limit some of my data.

Situation:
I've got a application log with a GPS field and a error field. For the GPS field I only need to save one value every 15 minutes, this seems perfectly doable with key => "%{gps_loc}".

However for the error field there is a whole array of different errors that might be produced and I want to save every error but not save more than one unique error per 60 minutes.

Example:
Error_1, Error_10 and Error_99 occur within a one hour windows. I want to save all three errors but each error should not be saved more than one time within one hour.

With key => "%{error_field}" I think it will just save one value per hour. Is there any way to achieve what I want to do?

To answer my own questions:

key => "%{error_field}"
Saves every unique error in accordance with period and count you configured.

key => "error_field"
Will only save this field once regardless of of whether the field value has occurred before.

Now I just need to change the grok for my GPS field to get all data into one field, apply the throttle, and then have another grok to dissect the GPS field into separate bits.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.