logstash alert after 1000 occurences

You may have better success using the metrics filter.

filter {
  my_filtering_conditional_that_is_100%_correct {
    metrics {
      meter => [ "events" ]
      flush_interval => 600
      clear_interval => 600
      add_tag => "events"
    }
  }
}

output {
  if "events" in [tags] {
    if [events][count] > 1000 {
      # do things
    }
  }
}

Tags:

Logstash

Related