Email alert after threshold crossed, logstash?

Siddharth Trikha picture Siddharth Trikha · Jun 13, 2014 · Viewed 9.2k times · Source

I am using logstash, elasticsearch and kibana to analyze my logs. I am alerting via email when a particular string comes into the log via email output in logstash:

email {
        match => [ "Session Detected", "logline,*Session closed*" ]
...........................
}

This works fine.

Now, I want to alert on the count of a field (when a threshold is crossed):

Eg If user is field, I want to alert when number of unique users go more than 5.

Can this be done via email output in logstash??
Please help.

EDIT: As @Alcanzar told I did this:

config file:

    if [server] == "Server2" and [logtype] == "ABClog" {

        grok{
        match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:server-name} abc\[%{INT:id}\]:
 \(%{USERNAME:user}\) CMD \(%{GREEDYDATA:command}\)"]       
        }   

        metrics {
                meter =>  ["%{user}"]
                add_tag =>  "metric"
            }   

        }

So according to above, for server2 and abclog I have a grok pattern for parsing my file and on the user field parsed by grok I want the metric applied.

I did that in the config file as above, but I get strange behaviour when I check logstash console with -vv.

So if there are 9 log lines in the file it parses the 9 first, after that it starts metric part but there the message field is not the logline in the log file but it's the user-name of my PC, thus it gives _grokparsefailure. Something like this:

 output received {
   :event=>{"@version"=>"1", "@timestamp"=>"2014-06-17T10:21:06.980Z", "message"=>"my-pc-name", 
    "root.count"=>2, "root.rate_1m"=>0.0, "root.rate_5m"=>0.0, "root.rate_15m"=>0.0, 
    "abc.count"=>2, "abc.rate_1m"=>0.0, "abc.rate_5m"=>0.0, "abc.rate_15m"=>0.0, "tags"=>["metric", 
    "_grokparsefailure"]}, :level=>:debug, :file=>"(eval)", :line=>"137"
    }

Any help is appreciated.

Answer

Alcanzar picture Alcanzar · Jun 16, 2014

I believe what you need is http://logstash.net/docs/1.4.1/filters/metrics.

You'd want to use a metrics tag to calculate the rate of your event, and then use the thing.rate_1m or thing.rate_5m in an if statement around your email output.

For example:

filter {
  if [message] =~ /whatever_message_you_want/ {
    metrics {
        meter =>  "user"
        add_tag =>  "metric"
    }
  }
}

output {
  if "metric" in [tags] and [user.rate_1m] > 1 {
   email { ... }
  }
}