Use threshold to trigger email sending

Hi,

I'm using logstash + elasticsearch + kibana to monitor my logfiles.
What i'm doing is sending e-mail each time a field contains a pattern. But it is not usefull as i get a lot of entries with that pattern. I want to know if it is possible to send e-mails after receiving 20 logs with that pattern in a minute.

I'm sure it is possible but i cannot make it works like that.

Thanks

I'm assuming you've looked at the throttle plugin documentation, it has good info on this?

You should be able to set:

before_count => 21
after_count => 21
period => 60

Hi RobT,

I think it is not what i'm looking for.
I want all events ve parsed, BUT only when my logstash receives 10 specific events in 1 minut, then it send e-mail.
I think that throttle drops some events, isn't it?

Thanks

This plugin allows you to establish the throttle condition and then gives you the opportunity to modify the event based on that ( i.e. add a tag to it ). You still need to act upon that condition. For example, I use two throttles one to limit emails and one to drop events.

The docs include an email code snippet that is very close to what you need from the sound of it.

Hi RobT,

It is close. Can i send an e-mail when a field containing 5 specific words is parsed within 1 minute?
I mean, that field can contain: warn, info, error... if it contains error it counts, if it containg warn it doesn't...do you understand?

Thanks

What you want is the metrics plugin for logstash

https://www.elastic.co/guide/en/logstash/current/plugins-filters-metrics.html

input {
  stdin {
  }
}

filter {
  if [message] =~ "fire" {
    metrics {
      meter => "fire-meter"
      add_tag => "oh-crap"
    }
  }
}

output {
  # only emit events with the 'metric' tag
  if "oh-crap" in [tags] {
    stdout {
      codec => line {
        format => "rate: %{[fire-meter][rate_1m]}"
      }
    }
  }

It will then print out the rate based on the rolling window

Here is an example log message

{"_id": "1234","message": "fire fire fire"}