logstash alert after 1000 occurences

logstash

Solution 1:

You may have better success using the metrics filter.

filter {
  my_filtering_conditional_that_is_100%_correct {
    metrics {
      meter => [ "events" ]
      flush_interval => 600
      clear_interval => 600
      add_tag => "events"
    }
  }
}

output {
  if "events" in [tags] {
    if [events][count] > 1000 {
      # do things
    }
  }
}

Solution 2:

I think that your best option would be to use http://riemann.io/. It handle events "flows" and that kind of logic wouldn't be to difficult to represent there.

The example on the following link creates an alert when there are more that 5 events of a certain type:

(streams
  (where (<= 0 metric 5)
    (with :state "ok" index)
    (else
      (with :state "warning" index))))

http://riemann.io/howto.html#set-thresholds

Greetings,

Related

Add a custom header to Postfix with the relayed domain
DNS Always Getting Non-Authoritative Answer
how can I use openssl to download my ldap cert over port 389 instead of 636 (TLS)?
Unstable 10Gb copper links, Broadcom and Intel cards to Cisco 4900M switches
Should i disable DNS recursion?
On FreeNas what is the difference between the "Permission Type" and the "Share Type" setting?
What is reasonable storage failover time that most OS (VM) can tolerate?
Can clang format add braces to single line if statements etc
When to use a react framework such as Next or Gatsby vs Create React App [closed]
How to correctly read an Interlocked.Increment'ed int field?
Resharper: Implicitly captured closure: this
Docker on CentOS 7.2: kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1