Throttle the alerts

soumya1 · July 10, 2018, 7:08am

Log :

2018-07-10 06:02:22,989 [myid:1] - ERROR Processing ruok command from /127.0.0.1:33542

When the same error comes with a different timestamp i am unable to throttle the alerts

In the filter i have

 if [log] =~ "ERROR"   
   {
    throttle { 
      period => 3600
      before_count => -1
      after_count => 1
      key => "%{log}"
      add_tag => "raisealert1"
    }        
   }

In output i have
if "raisealert1" in [tags] {

 email  {

          to => "alerttestgroup@qolsys.com"
          from => "xyz"
          address => "smtp.office365.com"
          codec => "plain"
          via => "smtp"
          contenttype => "text/html; charset=UTF-8"
          username => "xyz
          password => "pwd"
          subject => " Alert Report %{source} "
          body => " Alert LOG is : %{log} %{message}  HARDWARE DETAILS : VM1Local CLuster"
          port => 587
          use_tls => true
          authentication => login

    }

But the alerts are raised for each second.
how can i control the alerts if the same error occurs within an hr for more than 10 times then i have to alert only once.
mailbox is flooding

help pls

magnusbaeck · July 11, 2018, 9:45pm

You really don't want to use Logstash in this way. Use a tool meant for alerting instead. If you're storing events in ES have a look at Watcher and Elastalert.

system · August 8, 2018, 9:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.