The throttle filter plugin in Logstash is used to limit the rate of events passing through the pipeline. It's particularly useful when you need to control the flow of events to prevent overwhelming downstream systems or to comply with API rate limits.
Syntax
filter {
throttle {
before_count => number
after_count => number
period => number
key => "..."
allow_mode => "..."
max_age => number
cache_size => number
}
}
For detailed configuration options, refer to the official Logstash throttle filter documentation.
Example Use Case
Suppose you're collecting logs from multiple sources and want to limit the number of error messages sent to a monitoring system to avoid flooding alerts. Here's an example configuration:
filter {
if [loglevel] == "ERROR" {
throttle {
key => "%{host}"
before_count => 3
after_count => 1
period => 60
add_tag => "throttled"
}
}
}
This configuration allows the first 3 error messages from each host to pass through normally within a 60-second period. After that, only 1 message per minute will be allowed, and these messages will be tagged with "throttled".
Common Issues and Best Practices
- Memory usage: Be cautious with the
cache_size
setting, as a large cache can consume significant memory. - Key selection: Choose an appropriate
key
to group events effectively. Using too broad a key might not throttle as expected, while too narrow a key could lead to over-throttling. - Throttle placement: Place the throttle filter as early in your pipeline as possible to reduce processing overhead for throttled events.
- Monitoring: Use Logstash monitoring to keep track of throttled events and adjust your configuration if necessary.
Frequently Asked Questions
Q: How does the throttle filter differ from the drop filter?
A: While both can reduce event flow, the throttle filter allows for more granular control over the rate of events, whereas the drop filter simply discards events based on conditions without considering timing or frequency.
Q: Can I use the throttle filter to implement a sliding window rate limit?
A: The throttle filter uses fixed time periods rather than sliding windows. For sliding window rate limiting, you might need to implement a custom solution or use external rate limiting mechanisms.
Q: What happens to events that are throttled?
A: Throttled events are typically dropped and do not continue through the pipeline. However, you can use the add_tag
option to mark throttled events for special handling later in the pipeline if needed.
Q: Can the throttle filter be used to implement API rate limiting?
A: Yes, the throttle filter is often used to comply with API rate limits by controlling the flow of events to output plugins that interact with rate-limited APIs.
Q: How can I reset the throttle counter?
A: The throttle counter automatically resets after the specified period
. There's no built-in way to manually reset it, but restarting Logstash will clear all counters.