No overflow for single ip

Hello, I have the following simple scenario. I want to count requests to a specific endpoint and group them by ip. If more than two requests within 30s comes from same IP, it should overflow.

type: leaky
name: bu/tariffs-by-ip
description: "detect too many requests to tariffs endpoint from the same ip"
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/'"
leakspeed: "30s"
capacity: 2
groupby: evt.Meta.source_ip
blackhole: 1m
reprocess: false
debug: true
labels:
 service: http
 type: crawler-check
 remediation: true

when I run now a replay with a logfile with 3 matching entries also with changed date time, I would expect one decision for the ip, but nothing happens, no alerts, no decision.

This is in the profiles

filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() startsWith "bu/"
decisions:
 - type: captcha
   duration: 5m
on_success: break

I also see 3 matches in the logoutput

INFO[06-05-2022 18:04:35] Adding leaky bucket                           cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
WARN[06-05-2022 18:04:35] Loaded 1 scenarios
INFO[06-05-2022 18:04:35] Adding file /var/log/haproxy/access-tariffs.log to filelist  type="file:///var/log/haproxy/access-tariffs.log"
WARN[06-05-2022 18:04:35] Starting processing data
INFO[06-05-2022 18:04:35] reading /var/log/haproxy/access-tariffs.log at once  type="file:///var/log/haproxy/access-tariffs.log"
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables:                               cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Meta.log_type = 'http_access-log'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Parsed.request = '/desktopapi/tariffs/1152'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] Creating TimeMachine bucket                   cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] Leaky routine starting, lifetime : 1m30s      bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
DEBU[06-05-2022 18:04:35] Created new bucket bf0144f2f44b84cff9d26aa5697cc7202d323a8f  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured           cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] First event, bucket creation time : 2022-05-06 16:36:34 +0000 UTC  bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables:                               cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Meta.log_type = 'http_access-log'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Parsed.request = '/desktopapi/tariffs/1152'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured           cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
WARN[06-05-2022 18:04:35] Acquisition is finished, shutting down
INFO[06-05-2022 18:04:35] Killing parser routines
DEBU[06-05-2022 18:04:35] eval(evt.Meta.log_type == 'http_access-log' && evt.Parsed.request startsWith '/desktopapi/tariffs/') = TRUE  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] eval variables:                               cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Meta.log_type = 'http_access-log'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35]        evt.Parsed.request = '/desktopapi/tariffs/1152'  cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
DEBU[06-05-2022 18:04:35] bucket 'bu/tariffs-by-ip' is poured           cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip
INFO[06-05-2022 18:04:36] Bucket routine exiting
DEBU[06-05-2022 18:04:36] Bucket externally killed, return              bucket_id=late-dust capacity=2 cfg=weathered-shape file=/etc/crowdsec/scenarios/bu-tariffs-by-ip.yaml name=bu/tariffs-by-ip partition=bf0144f2f44b84cff9d26aa5697cc7202d323a8f
INFO[06-05-2022 18:04:37] crowdsec shutdown

What is wrong here?

The scenario was working for me, when I added three requests in real time to the monitored access.log, so I guess, something with the replay was wrong.

So it works for you now?

Yes, this scenario is working for now. Thanks! But I still need help for the other problem: Ban each request after overflow - #7 by janbaer