Hi,
I'm struggling a bit with the throttle filter. After the period expires I expect the throttle filter to save the first new event, but instead its saving the last old event.
input {
file {
path => "/home/test/Desktop/test/kvh/test.txt"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter {
mutate {
gsub => [
"message", "[+$>*]", ""
]
}
grok {
match => { "message" => [
"%{GREEDYDATA:TIME} GPRMC,%{GREEDYDATA:GPS}"
] }
tag_on_failure => [ grok_failure" ]
}
if "grok_failure" in [tags] {
drop { }
}
mutate {
add_field => {
"GPRMC" => "%{TIME} GPRMC,%{GPS}"
}
remove_field => ["TIME", "GPS", "path", "@version", "host", "message"]
}
throttle {
before_count => -1
after_count => 1
period => 60
max_age => 180
key => "GPRMC"
add_tag => "throttled"
}
if "throttled" in [tags] {
drop { }
}
}Ignore the grok filter for a moment and lets say me input is error1, error2 etc.
What I see happening is this:
- I have a empty file and start logstash.
- I copy error1 to the file. Error1 appears in stdout, this is correct.
- I paste error1 again within 60 seconds, nothing appears, I paste error2 within one minute, nothing appears. This is correct.
- 60+ seconds after I pasted the first error1 I paste error3 into the file. Error2 appears in the output.
I don't believe this is correct and instead want the first value after throttle period has passed to be logged and not the last value from the previous period.
What am I doing wrong? I tried changing beginning to end and the sincedb path in the file input just in case but that doesn't appear to be the issue. As far as I can tell the throttle filter is correct.