Hey there,
first time posting on the community, so greetings everyone! I apologize in advance if I’m making any rookie mistake. I also apologize because English is not my main language.
So I’ve got a question about metric filtering on aggregator plugins using the “drop_original = true” option. I’ve found the documentation not clear enough and I’d like to clarify how it should behave.
This quote comes from the documentation about metric filtering on aggregator plugins:
If a metric is excluded from a Processor or Aggregator plugin, it is skips the plugin and is sent onwards to the next stage of processing.
My question is: should an aggregator configuration with “drop_original = true” and several filtering options be discarding metrics that do not match those options, or only the original metrics that match said options before being aggregated?
If my explanation wasn’t clear enough, which probably isn’t, I’m adding this logparser configuration as an example:
[inputs.logparser.grok]
patterns = [
"%{MODSEC_HIT_LINE}"
]
custom_pattern_files = [
"/etc/telegraf/grok_patterns/modsec_rules.txt"
]
measurement = "modsec_rules_hits"
timezone = 'Local'
[[aggregators.basicstats]]
namepass = "modsec_rules_hits"
drop_original = false
period = "10s"
grace = "60s"
fieldpass = ["rev"]
stats = ["count"]
As you can see I have a logparser that sends metrics to the “modsec_rules_hits” measurement and a “basicstats” aggregator that should only affect metrics sent to said measurement that contains the field “rev”. My question is: should it be dropping any metric that is not directed towards the “modsec_rules_hits” measurement or only those that are indeed directed towards that measurement before being aggregated?
Thank you all and best regards,
Héctor
