The metrics filter is useful for aggregating metrics.
For example, if you have a field ‘response’ that is a http response code, and you want to count each kind of response, you can do this:
filter {
metrics {
meter => [ "http.%{response}" ]
add_tag => "metric"
}
}
Metrics are flushed every 5 seconds by default or according to ‘flush_interval’. Metrics appear as new events in the event stream and go through any filters that occur after as well as outputs.
In general, you will want to add a tag to your metrics and have an output explicitly look for that tag.
The event that is flushed will include every ‘meter’ and ‘timer’ metric in the following way:
For a meter => "something" you will receive the following fields:
For a timer => [ "thing", "%{duration}" ] you will receive the following fields:
percentiles)For a simple example, let’s track how many events per second are running through logstash:
input {
generator {
type => "generated"
}
}
filter {
if [type] == "generated" {
metrics {
meter => "events"
add_tag => "metric"
}
}
}
output {
# only emit events with the 'metric' tag
if "metric" in [tags] {
stdout {
message => "rate: %{events.rate_1m}"
}
}
}
Running the above:
% java -jar logstash.jar agent -f example.conf
rate: 23721.983566819246
rate: 24811.395722536377
rate: 25875.892745934525
rate: 26836.42375967113
We see the output includes our ‘events’ 1-minute rate.
In the real world, you would emit this to graphite or another metrics store, like so:
output {
graphite {
metrics => [ "events.rate_1m", "%{events.rate_1m}" ]
}
}
filter {
metrics {
add_field => ... # hash (optional), default: {}
add_tag => ... # array (optional), default: []
clear_interval => ... # number (optional), default: -1
flush_interval => ... # number (optional), default: 5
ignore_older_than => ... # number (optional), default: 0
meter => ... # array (optional), default: []
percentiles => ... # array (optional), default: [1, 5, 10, 90, 95, 99, 100]
rates => ... # array (optional), default: [1, 5, 15]
remove_field => ... # array (optional), default: []
remove_tag => ... # array (optional), default: []
timer => ... # hash (optional), default: {}
}
}
If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field} Example:
filter {
metrics {
add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
}
}
# You can also add multiple fields at once:
filter {
metrics {
add_field => {
"foo_%{somefield}" => "Hello world, from %{host}"
"new_field" => "new_static_value"
}
}
}
If the event has field “somefield” == “hello” this filter, on success, would add field “foo_hello” if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.
If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:
filter {
metrics {
add_tag => [ "foo_%{somefield}" ]
}
}
# You can also add multiple tags at once:
filter {
metrics {
add_tag => [ "foo_%{somefield}", "taggedy_tag"]
}
}
If the event has field “somefield” == “hello” this filter, on success, would add a tag “foo_hello” (and the second example would of course add a “taggedy_tag” tag).
The clear interval, when all counter are reset.
If set to -1, the default value, the metrics will never be cleared. Otherwise, should be a multiple of 5s.
Only handle events without all/any (controlled by exclude_any config option) of these tags. Optional.
The flush interval, when the metrics event is created. Must be a multiple of 5s.
Don’t track events that have @timestamp older than some number of seconds.
This is useful if you want to only include events that are near real-time in your metrics.
Example, to only count events that are within 10 seconds of real-time, you would do this:
filter {
metrics {
meter => [ "hits" ]
ignore_older_than => 10
}
}
syntax: meter => [ "name of metric", "name of metric" ]
The percentiles that should be measured
The rates that should be measured, in minutes. Possible values are 1, 5, and 15.
If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:
filter {
metrics {
remove_field => [ "foo_%{somefield}" ]
}
}
# You can also remove multiple fields at once:
filter {
metrics {
remove_field => [ "foo_%{somefield}" "my_extraneous_field" ]
}
}
If the event has field “somefield” == “hello” this filter, on success, would remove the field with name “foo_hello” if it is present. The second example would remove an additional, non-dynamic field.
If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:
filter {
metrics {
remove_tag => [ "foo_%{somefield}" ]
}
}
# You can also remove multiple tags at once:
filter {
metrics {
remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
}
}
If the event has field “somefield” == “hello” this filter, on success, would remove the tag “foo_hello” if it is present. The second example would remove a sad, unwanted tag as well.
Only handle events with all/any (controlled by include_any config option) of these tags. Optional.
syntax: timer => [ "name of metric", "%{time_value}" ]
Note that all of the specified routing options (type,tags.exclude_tags,include_fields,exclude_fields) must be met in order for the event to be handled by the filter. The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin’s “type” attribute for more. Optional.