Throttle the alerts


(sri) #1

Log :

2018-07-10 06:02:22,989 [myid:1] - ERROR Processing ruok command from /127.0.0.1:33542

When the same error comes with a different timestamp i am unable to throttle the alerts

In the filter i have

 if [log] =~ "ERROR"   
   {
    throttle { 
      period => 3600
      before_count => -1
      after_count => 1
      key => "%{log}"
      add_tag => "raisealert1"
    }        
   }

In output i have
if "raisealert1" in [tags] {

 email  {

          to => "alerttestgroup@qolsys.com"
          from => "xyz"
          address => "smtp.office365.com"
          codec => "plain"
          via => "smtp"
          contenttype => "text/html; charset=UTF-8"
          username => "xyz
          password => "pwd"
          subject => " Alert Report %{source} "
          body => " Alert LOG is : %{log} %{message}  HARDWARE DETAILS : VM1Local CLuster"
          port => 587
          use_tls => true
          authentication => login

    }

But the alerts are raised for each second.
how can i control the alerts if the same error occurs within an hr for more than 10 times then i have to alert only once.
mailbox is flooding

help pls


(Magnus B├Ąck) #2

You really don't want to use Logstash in this way. Use a tool meant for alerting instead. If you're storing events in ES have a look at Watcher and Elastalert.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.