Throttle Moving Window

Elastic Stack Logstash
1

Is it possible to have a moving window to monitor events through throttle filter or something similar?

Ex.
If I run this throttle filter:

if [event] == "SomeEvent" {
  throttle {
    after_count => 2
    period => 10
    key => "throttle_key"
    add_tag => "Alert"
  }
}

If I have messages that would match the event with the following timestamps

  1. "timestamp":"2017-07-10T18:25:10.000000"
  2. "timestamp":"2017-07-10T18:25:13.000000"
  3. "timestamp":"2017-07-10T18:25:21.000000"
  4. "timestamp":"2017-07-10T18:25:22.000000"

None of the messages will get the tag, even though there are 3 messages in a 10 second period (2, 3, and 4). Is there anything that will catch that?

2

Hmmm, that should work. Is it tagging any events at all?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.