I've created a filter to throttle issolatelly messages from several servers. When the systems receives 50 equal messages from an specific server i add a tag "e-mail".
Output sends e-mail when a message have this tag. However, It send 3 e-mails insted of sending one.
I don't why, is there something wrong in my config?
throttle {
before_count => 24
after_count => 26
period => 300
key => "[%{host}][ws_bingobombo]"
add_tag => "error_ws_bingobombo"
}
if "error_ws_bingobombo" not in [tags] {
mutate {
add_tag => ["email_ws_social_error"]
}
}
if "email_ws_social_error" in [tags] {
email {
to => "addresses"
address => "my server ip"
body => "Error ... [HOST:%{host}]--[TIME:%{time}]"
domain => "my domain"
from => "servidor.logs@domain.com"
subject => "[%{host}] - Error"
via => "smtp"
}
}
I don't understand why is sending 3 e-mail, within the same time (2 seconds between them)
Throttle condition which you had written is not throttling 24th, 25th and 26th events, therefore as per your condition if "error_ws_bingobombo" not in [tags] it will generate 3 email alerts for those three events.
If you wish to generate single alert change count as before_count => 24, after_count => 24.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.