logstash-filter-throttle 4.0.1 → 4.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +8 -1
- data/docs/index.asciidoc +252 -0
- data/logstash-filter-throttle.gemspec +2 -2
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0d603f018f22197b49bacbe89a1e45b672bb9fad
|
4
|
+
data.tar.gz: 5d8dd804f76052b84a82035976ab7b2ae6a016a5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ecffd47a2d3c3c13aa4a846e99a3bbce3dca68ac99f79635d97678f090fd9a0c420b64c81dad6d5d6fa582f8f3f30d07b656c677988c1dbd561e674102d390f4
|
7
|
+
data.tar.gz: 9dd54ea19e284b7eda5506b6f2228c577c5d80f79162d782b7fd42639e90ff99cf367d33c54ffc8ceb2e0763f66b9a94082a3d9020886064b77a280a1a6735ec
|
data/Gemfile
CHANGED
@@ -1,4 +1,11 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
# Specify your gem's dependencies in logstash-mass_effect.gemspec
|
4
3
|
gemspec
|
4
|
+
|
5
|
+
logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
|
6
|
+
use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
|
7
|
+
|
8
|
+
if Dir.exist?(logstash_path) && use_logstash_source
|
9
|
+
gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
|
10
|
+
gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
|
11
|
+
end
|
data/docs/index.asciidoc
ADDED
@@ -0,0 +1,252 @@
|
|
1
|
+
:plugin: throttle
|
2
|
+
:type: filter
|
3
|
+
|
4
|
+
///////////////////////////////////////////
|
5
|
+
START - GENERATED VARIABLES, DO NOT EDIT!
|
6
|
+
///////////////////////////////////////////
|
7
|
+
:version: %VERSION%
|
8
|
+
:release_date: %RELEASE_DATE%
|
9
|
+
:changelog_url: %CHANGELOG_URL%
|
10
|
+
:include_path: ../../../../logstash/docs/include
|
11
|
+
///////////////////////////////////////////
|
12
|
+
END - GENERATED VARIABLES, DO NOT EDIT!
|
13
|
+
///////////////////////////////////////////
|
14
|
+
|
15
|
+
[id="plugins-{type}-{plugin}"]
|
16
|
+
|
17
|
+
=== Throttle filter plugin
|
18
|
+
|
19
|
+
include::{include_path}/plugin_header.asciidoc[]
|
20
|
+
|
21
|
+
==== Description
|
22
|
+
|
23
|
+
The throttle filter is for throttling the number of events. The filter is
|
24
|
+
configured with a lower bound, the "before_count", and upper bound, the "after_count",
|
25
|
+
and a period of time. All events passing through the filter will be counted based on
|
26
|
+
their key and the event timestamp. As long as the count is less than the "before_count"
|
27
|
+
or greater than the "after_count", the event will be "throttled" which means the filter
|
28
|
+
will be considered successful and any tags or fields will be added (or removed).
|
29
|
+
|
30
|
+
The plugin is thread-safe and properly tracks past events.
|
31
|
+
|
32
|
+
For example, if you wanted to throttle events so you only receive an event after 2
|
33
|
+
occurrences and you get no more than 3 in 10 minutes, you would use the configuration:
|
34
|
+
[source,ruby]
|
35
|
+
period => 600
|
36
|
+
max_age => 1200
|
37
|
+
before_count => 3
|
38
|
+
after_count => 5
|
39
|
+
|
40
|
+
Which would result in:
|
41
|
+
==========================
|
42
|
+
event 1 - throttled (successful filter, period start)
|
43
|
+
event 2 - throttled (successful filter)
|
44
|
+
event 3 - not throttled
|
45
|
+
event 4 - not throttled
|
46
|
+
event 5 - not throttled
|
47
|
+
event 6 - throttled (successful filter)
|
48
|
+
event 7 - throttled (successful filter)
|
49
|
+
event x - throttled (successful filter)
|
50
|
+
period end
|
51
|
+
event 1 - throttled (successful filter, period start)
|
52
|
+
event 2 - throttled (successful filter)
|
53
|
+
event 3 - not throttled
|
54
|
+
event 4 - not throttled
|
55
|
+
event 5 - not throttled
|
56
|
+
event 6 - throttled (successful filter)
|
57
|
+
...
|
58
|
+
==========================
|
59
|
+
Another example is if you wanted to throttle events so you only
|
60
|
+
receive 1 event per hour, you would use the configuration:
|
61
|
+
[source,ruby]
|
62
|
+
period => 3600
|
63
|
+
max_age => 7200
|
64
|
+
before_count => -1
|
65
|
+
after_count => 1
|
66
|
+
|
67
|
+
Which would result in:
|
68
|
+
==========================
|
69
|
+
event 1 - not throttled (period start)
|
70
|
+
event 2 - throttled (successful filter)
|
71
|
+
event 3 - throttled (successful filter)
|
72
|
+
event 4 - throttled (successful filter)
|
73
|
+
event x - throttled (successful filter)
|
74
|
+
period end
|
75
|
+
event 1 - not throttled (period start)
|
76
|
+
event 2 - throttled (successful filter)
|
77
|
+
event 3 - throttled (successful filter)
|
78
|
+
event 4 - throttled (successful filter)
|
79
|
+
...
|
80
|
+
==========================
|
81
|
+
A common use case would be to use the throttle filter to throttle events before 3 and
|
82
|
+
after 5 while using multiple fields for the key and then use the drop filter to remove
|
83
|
+
throttled events. This configuration might appear as:
|
84
|
+
[source,ruby]
|
85
|
+
filter {
|
86
|
+
throttle {
|
87
|
+
before_count => 3
|
88
|
+
after_count => 5
|
89
|
+
period => 3600
|
90
|
+
max_age => 7200
|
91
|
+
key => "%{host}%{message}"
|
92
|
+
add_tag => "throttled"
|
93
|
+
}
|
94
|
+
if "throttled" in [tags] {
|
95
|
+
drop { }
|
96
|
+
}
|
97
|
+
}
|
98
|
+
|
99
|
+
Another case would be to store all events, but only email non-throttled events
|
100
|
+
so the op's inbox isn't flooded with emails in the event of a system error.
|
101
|
+
This configuration might appear as:
|
102
|
+
[source,ruby]
|
103
|
+
filter {
|
104
|
+
throttle {
|
105
|
+
before_count => 3
|
106
|
+
after_count => 5
|
107
|
+
period => 3600
|
108
|
+
max_age => 7200
|
109
|
+
key => "%{message}"
|
110
|
+
add_tag => "throttled"
|
111
|
+
}
|
112
|
+
}
|
113
|
+
output {
|
114
|
+
if "throttled" not in [tags] {
|
115
|
+
email {
|
116
|
+
from => "logstash@mycompany.com"
|
117
|
+
subject => "Production System Alert"
|
118
|
+
to => "ops@mycompany.com"
|
119
|
+
via => "sendmail"
|
120
|
+
body => "Alert on %{host} from path %{path}:\n\n%{message}"
|
121
|
+
options => { "location" => "/usr/sbin/sendmail" }
|
122
|
+
}
|
123
|
+
}
|
124
|
+
elasticsearch_http {
|
125
|
+
host => "localhost"
|
126
|
+
port => "19200"
|
127
|
+
}
|
128
|
+
}
|
129
|
+
|
130
|
+
When an event is received, the event key is stored in a key_cache. The key references
|
131
|
+
a timeslot_cache. The event is allocated to a timeslot (created dynamically) based on
|
132
|
+
the timestamp of the event. The timeslot counter is incremented. When the next event is
|
133
|
+
received (same key), within the same "period", it is allocated to the same timeslot.
|
134
|
+
The timeslot counter is incremented once again.
|
135
|
+
|
136
|
+
The timeslot expires if the maximum age has been exceeded. The age is calculated
|
137
|
+
based on the latest event timestamp and the max_age configuration option.
|
138
|
+
|
139
|
+
---[::.. DESIGN ..::]---
|
140
|
+
|
141
|
+
+- [key_cache] -+ +-- [timeslot_cache] --+
|
142
|
+
| | | @created: 1439839636 |
|
143
|
+
| @latest: 1439839836 |
|
144
|
+
[a.b.c] => +----------------------+
|
145
|
+
| [1439839636] => 1 |
|
146
|
+
| [1439839736] => 3 |
|
147
|
+
| [1439839836] => 2 |
|
148
|
+
+----------------------+
|
149
|
+
|
150
|
+
+-- [timeslot_cache] --+
|
151
|
+
| @created: eeeeeeeeee |
|
152
|
+
| @latest: llllllllll |
|
153
|
+
[x.y.z] => +----------------------+
|
154
|
+
| [0000000060] => x |
|
155
|
+
| [0000000120] => y |
|
156
|
+
| | | [..........] => N |
|
157
|
+
+---------------+ +----------------------+
|
158
|
+
|
159
|
+
Frank de Jong (@frapex)
|
160
|
+
Mike Pilone (@mikepilone)
|
161
|
+
|
162
|
+
only update if greater than current
|
163
|
+
|
164
|
+
[id="plugins-{type}s-{plugin}-options"]
|
165
|
+
==== Throttle Filter Configuration Options
|
166
|
+
|
167
|
+
This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
|
168
|
+
|
169
|
+
[cols="<,<,<",options="header",]
|
170
|
+
|=======================================================================
|
171
|
+
|Setting |Input type|Required
|
172
|
+
| <<plugins-{type}s-{plugin}-after_count>> |<<number,number>>|No
|
173
|
+
| <<plugins-{type}s-{plugin}-before_count>> |<<number,number>>|No
|
174
|
+
| <<plugins-{type}s-{plugin}-key>> |<<string,string>>|Yes
|
175
|
+
| <<plugins-{type}s-{plugin}-max_age>> |<<number,number>>|No
|
176
|
+
| <<plugins-{type}s-{plugin}-max_counters>> |<<number,number>>|No
|
177
|
+
| <<plugins-{type}s-{plugin}-period>> |<<string,string>>|No
|
178
|
+
|=======================================================================
|
179
|
+
|
180
|
+
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
181
|
+
filter plugins.
|
182
|
+
|
183
|
+
|
184
|
+
|
185
|
+
[id="plugins-{type}s-{plugin}-after_count"]
|
186
|
+
===== `after_count`
|
187
|
+
|
188
|
+
* Value type is <<number,number>>
|
189
|
+
* Default value is `-1`
|
190
|
+
|
191
|
+
Events greater than this count will be throttled. Setting this value to -1, the
|
192
|
+
default, will cause no events to be throttled based on the upper bound.
|
193
|
+
|
194
|
+
[id="plugins-{type}s-{plugin}-before_count"]
|
195
|
+
===== `before_count`
|
196
|
+
|
197
|
+
* Value type is <<number,number>>
|
198
|
+
* Default value is `-1`
|
199
|
+
|
200
|
+
Events less than this count will be throttled. Setting this value to -1, the
|
201
|
+
default, will cause no events to be throttled based on the lower bound.
|
202
|
+
|
203
|
+
[id="plugins-{type}s-{plugin}-key"]
|
204
|
+
===== `key`
|
205
|
+
|
206
|
+
* This is a required setting.
|
207
|
+
* Value type is <<string,string>>
|
208
|
+
* There is no default value for this setting.
|
209
|
+
|
210
|
+
The key used to identify events. Events with the same key are grouped together.
|
211
|
+
Field substitutions are allowed, so you can combine multiple fields.
|
212
|
+
|
213
|
+
[id="plugins-{type}s-{plugin}-max_age"]
|
214
|
+
===== `max_age`
|
215
|
+
|
216
|
+
* Value type is <<number,number>>
|
217
|
+
* Default value is `3600`
|
218
|
+
|
219
|
+
The maximum age of a timeslot. Higher values allow better tracking of an asynchronous
|
220
|
+
flow of events, but require more memory. As a rule of thumb you should set this value
|
221
|
+
to at least twice the period. Or set this value to period + maximum time offset
|
222
|
+
between unordered events with the same key. Values below the specified period give
|
223
|
+
unexpected results if unordered events are processed simultaneously.
|
224
|
+
|
225
|
+
[id="plugins-{type}s-{plugin}-max_counters"]
|
226
|
+
===== `max_counters`
|
227
|
+
|
228
|
+
* Value type is <<number,number>>
|
229
|
+
* Default value is `100000`
|
230
|
+
|
231
|
+
The maximum number of counters to store before decreasing the maximum age of a timeslot.
|
232
|
+
Setting this value to -1 will prevent an upper bound with no constraint on the
|
233
|
+
number of counters. This configuration value should only be used as a memory
|
234
|
+
control mechanism and can cause early counter expiration if the value is reached.
|
235
|
+
It is recommended to leave the default value and ensure that your key is selected
|
236
|
+
such that it limits the number of counters required (i.e. don't use UUID as the key).
|
237
|
+
|
238
|
+
[id="plugins-{type}s-{plugin}-period"]
|
239
|
+
===== `period`
|
240
|
+
|
241
|
+
* Value type is <<string,string>>
|
242
|
+
* Default value is `"60"`
|
243
|
+
|
244
|
+
The period in seconds after the first occurrence of an event until a new timeslot
|
245
|
+
is created. This period is tracked per unique key and per timeslot.
|
246
|
+
Field substitutions are allowed in this value. This allows you to specify that
|
247
|
+
certain kinds of events throttle for a specific period of time.
|
248
|
+
|
249
|
+
|
250
|
+
|
251
|
+
[id="plugins-{type}s-{plugin}-common-options"]
|
252
|
+
include::{include_path}/{type}.asciidoc[]
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-throttle'
|
4
|
-
s.version = '4.0.
|
4
|
+
s.version = '4.0.2'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "The throttle filter is for throttling the number of events received."
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
|
|
11
11
|
s.require_paths = ["lib"]
|
12
12
|
|
13
13
|
# Files
|
14
|
-
s.files = Dir[
|
14
|
+
s.files = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb", "VERSION", "docs/**/*"]
|
15
15
|
|
16
16
|
# Tests
|
17
17
|
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-throttle
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.0.
|
4
|
+
version: 4.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-06-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -84,6 +84,7 @@ files:
|
|
84
84
|
- LICENSE
|
85
85
|
- NOTICE.TXT
|
86
86
|
- README.md
|
87
|
+
- docs/index.asciidoc
|
87
88
|
- lib/logstash/filters/throttle.rb
|
88
89
|
- logstash-filter-throttle.gemspec
|
89
90
|
- spec/filters/throttle_spec.rb
|