将数字变量传递给油门过滤器的 max_age 字段的正确方法是什么

What's the right way to pass a number variable to the max_age field of throttle filter

如何将整数字段传递给节流过滤器块的 max_age 参数?我无法克服下面显示的错误。

[ERROR] 2019-02-18 20:19:30.005 [Converge PipelineAction::Create<main>] throttle - Invalid setting for throttle filter plugin:

  filter {
    throttle {
      # This setting must be a number
      # Expected number, got "throttle_max_age" (type throttle_max_age)
      max_age => ["throttle_max_age"]
      ...
    }
  }

我的 logstash 配置的过滤器部分:

filter {

    mutate { add_field => { "eventkey" => "%{[logger][hostname]}-%{[probe][name]}-%{voltage_category}" } }

    # Specific alert frequencies for different alert categories
    if ["voltage_category] == "normal" {
        # Voltage normal
        # 86400 = one day
        mutate { add_field => { "throttle_period" => 86400 }  }
        # Two days and ten seconds
        mutate { add_field => { "throttle_max_age" => 172810 } }
    } else {
        # Abnormal event. Throttle less, so more notifications are transmitted
        mutate { add_field => { "throttle_period" => 15 } }
        mutate { add_field => { "throttle_max_age" => 180 } }
    } # end of voltage abnormal

    # Added this for S & G - had no effect. 
    mutate { convert => { "throttle_max_age" => "integer" } }

    # For a given ID, emit ONE event no more than every 15 seconds
    # ID: logger.hostname + probe.name
    throttle {
        key => "%{eventkey}"
        period => [throttle_period]
        max_age => [throttle_max_age]
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
}

不幸的是,目前似乎无法做到这一点,因为在加载 Logstash 配置时会验证该值,并且它需要一个具体的数值。

这是 throttle 插件的源代码,它检查值是否为数字:
https://github.com/logstash-plugins/logstash-filter-throttle/blob/master/lib/logstash/filters/throttle.rb#L191
与允许字段替换的周期值相比:
https://github.com/logstash-plugins/logstash-filter-throttle/blob/5c8d3543ba0eed9ba8a93ae4ffbef7fb15d881ea/lib/logstash/filters/throttle.rb#L197

作为变通方法,如果 max_age 的值只有几个案例,您可以修改条件并在其中放置两个节流过滤器。例如:

# Specific alert frequencies for different alert categories
if ["voltage_category] == "normal" {
    # Voltage normal
    throttle {
        key => "%{eventkey}"
        # 86400 = one day
        period => 86400
        # Two days and ten seconds
        max_age => 172810
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
} else {
    # Abnormal event. Throttle less, so more notifications are transmitted
    throttle {
        key => "%{eventkey}"
        period => 15
        max_age => 180
        before_count => -1
        after_count => 1
        add_tag => "throttled"
    }
    # end of voltage abnormal
}