Throttle filter per value?

Sjaak01 · January 5, 2018, 1:23am

Happy new year to everybody.

I have a question regarding the throttle filter. I need to rate limit some of my data.

Situation:
I've got a application log with a GPS field and a error field. For the GPS field I only need to save one value every 15 minutes, this seems perfectly doable with key => "%{gps_loc}".

However for the error field there is a whole array of different errors that might be produced and I want to save every error but not save more than one unique error per 60 minutes.

Example:
Error_1, Error_10 and Error_99 occur within a one hour windows. I want to save all three errors but each error should not be saved more than one time within one hour.

With key => "%{error_field}" I think it will just save one value per hour. Is there any way to achieve what I want to do?

Sjaak01 · January 5, 2018, 7:35am

To answer my own questions:

key => "%{error_field}"
Saves every unique error in accordance with period and count you configured.

key => "error_field"
Will only save this field once regardless of of whether the field value has occurred before.

Now I just need to change the grok for my GPS field to get all data into one field, apply the throttle, and then have another grok to dissect the GPS field into separate bits.

system · February 2, 2018, 7:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Throttle filter]How can I string this field? Logstash	2	372	February 8, 2018
Throttle filter picking up old instead of new value Logstash	2	406	February 3, 2018
Seperating fields in a string Logstash	1	370	February 9, 2018
How to use throttle filter to add tag to only one record Logstash	1	239	July 30, 2021
Logstash KV filter time field Logstash elastic-stack-monitoring , elastic-stack-security	6	492	August 17, 2021

Throttle filter per value?

Related topics