将数字变量传递到节气门滤波器的max_age字段的正确方法是什么

时间:2019-02-18 20:28:15

标签: logstash throttling

如何将整数字段传递给节气门滤波器块的max_age参数?我无法克服下面显示的错误。 

[ERROR] 2019-02-18 20:19:30.005 [Converge PipelineAction::Create<main>] throttle - Invalid setting for throttle filter plugin:

  filter {
    throttle {
      # This setting must be a number
      # Expected number, got "throttle_max_age" (type throttle_max_age)
      max_age => ["throttle_max_age"]
      ...
    }
  }

logstash配置的过滤器部分:

filter {

    mutate { add_field => { "eventkey" => "%{[logger][hostname]}-%{[probe][name]}-%{voltage_category}" } }

    # Specific alert frequencies for different alert categories
    if ["voltage_category] == "normal" {
        # Voltage normal
        # 86400 = one day
        mutate { add_field => { "throttle_period" => 86400 }  }
        # Two days and ten seconds
        mutate { add_field => { "throttle_max_age" => 172810 } }
    } else {
        # Abnormal event. Throttle less, so more notifications are transmitted
        mutate { add_field => { "throttle_period" => 15 } }
        mutate { add_field => { "throttle_max_age" => 180 } }
    } # end of voltage abnormal

    # Added this for S & G - had no effect. 
    mutate { convert => { "throttle_max_age" => "integer" } }

    # For a given ID, emit ONE event no more than every 15 seconds
    # ID: logger.hostname + probe.name
    throttle {
        key => "%{eventkey}"
        period => [throttle_period]
        max_age => [throttle_max_age]
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
}

1 个答案:

答案 0 :(得分:2)

不幸的是,目前似乎无法做到这一点,因为该值在Logstash配置加载时已经过验证并且需要一个具体的数字值。

这是节流插件的源代码,它在其中检查值是否为数字:
https://github.com/logstash-plugins/logstash-filter-throttle/blob/master/lib/logstash/filters/throttle.rb#L191
与允许字段替换的期间值进行比较:
https://github.com/logstash-plugins/logstash-filter-throttle/blob/5c8d3543ba0eed9ba8a93ae4ffbef7fb15d881ea/lib/logstash/filters/throttle.rb#L197

作为一种变通方法,如果对max_age的值只有几个案例,则可以修改条件并在其中放置两个节流过滤器。例如:

# Specific alert frequencies for different alert categories
if ["voltage_category] == "normal" {
    # Voltage normal
    throttle {
        key => "%{eventkey}"
        # 86400 = one day
        period => 86400
        # Two days and ten seconds
        max_age => 172810
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
} else {
    # Abnormal event. Throttle less, so more notifications are transmitted
    throttle {
        key => "%{eventkey}"
        period => 15
        max_age => 180
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
    # end of voltage abnormal
}
相关问题
最新问题