Logstash throttle Filter Plugin

Pulse - Elasticsearch Operations Done Right

On this page

Syntax Example Use Case Common Issues and Best Practices Frequently Asked Questions

The throttle filter plugin in Logstash is used to limit the rate of events passing through the pipeline. It's particularly useful when you need to control the flow of events to prevent overwhelming downstream systems or to comply with API rate limits.

Syntax

filter {
  throttle {
    before_count => number
    after_count => number
    period => number
    key => "..."
    allow_mode => "..."
    max_age => number
    cache_size => number
  }
}

For detailed configuration options, refer to the official Logstash throttle filter documentation.

Example Use Case

Suppose you're collecting logs from multiple sources and want to limit the number of error messages sent to a monitoring system to avoid flooding alerts. Here's an example configuration:

filter {
  if [loglevel] == "ERROR" {
    throttle {
      key => "%{host}"
      before_count => 3
      after_count => 1
      period => 60
      add_tag => "throttled"
    }
  }
}

This configuration allows the first 3 error messages from each host to pass through normally within a 60-second period. After that, only 1 message per minute will be allowed, and these messages will be tagged with "throttled".

Common Issues and Best Practices

  1. Memory usage: Be cautious with the cache_size setting, as a large cache can consume significant memory.
  2. Key selection: Choose an appropriate key to group events effectively. Using too broad a key might not throttle as expected, while too narrow a key could lead to over-throttling.
  3. Throttle placement: Place the throttle filter as early in your pipeline as possible to reduce processing overhead for throttled events.
  4. Monitoring: Use Logstash monitoring to keep track of throttled events and adjust your configuration if necessary.

Frequently Asked Questions

Q: How does the throttle filter differ from the drop filter?
A: While both can reduce event flow, the throttle filter allows for more granular control over the rate of events, whereas the drop filter simply discards events based on conditions without considering timing or frequency.

Q: Can I use the throttle filter to implement a sliding window rate limit?
A: The throttle filter uses fixed time periods rather than sliding windows. For sliding window rate limiting, you might need to implement a custom solution or use external rate limiting mechanisms.

Q: What happens to events that are throttled?
A: Throttled events are typically dropped and do not continue through the pipeline. However, you can use the add_tag option to mark throttled events for special handling later in the pipeline if needed.

Q: Can the throttle filter be used to implement API rate limiting?
A: Yes, the throttle filter is often used to comply with API rate limits by controlling the flow of events to output plugins that interact with rate-limited APIs.

Q: How can I reset the throttle counter?
A: The throttle counter automatically resets after the specified period. There's no built-in way to manually reset it, but restarting Logstash will clear all counters.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.