mysql:
Server version: 5.7.17
mysql日志格式:
简单的要求
需要慢sql和慢sql的查询时间和切换的库
logstash配置写法
input {
file {
path => "/data/soft/mysql-slow.log"
start_position => "beginning"
type => "mysql-slow"
codec => multiline {
pattern => "^# User@Host:"
negate => true
what => previous
}
}
}
output {
if[type] == "mysql-slow" {
elasticsearch {
index => "mysql-slow1-%{+YYYY.MM.dd}"
hosts => ["192.168.1.252:9200"]
}
}
}
codec的multiline插件
使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并。
input {
stdin {
codec => multiline {
pattern => "^\[" #当遇到[开头的行时候将多行进行合并
negate => true #true为匹配成功进行操作,false为不成功进行操作
what => "previous" #与上面的行合并,如果是下面的行合并就是next
}}
}
测试输出
input {
file {
path => "/data/soft/mysql-slow.log"
start_position => "beginning"
type => "mysql-slow"
codec => multiline {
pattern => "^# User@Host:"
negate => true
what => previous
}
}
file {
path => "/etc/passwd"
start_position => "beginning"
type => "passwd"
codec => multiline {
pattern => "^#"
negate => true
what => previous
}
}
output {
if[type] == "mysql-slow" {
elasticsearch {
index => "mysql-slow1-%{+YYYY.MM.dd}"
hosts => ["192.168.1.252:9200"]
}
}
if[type] == "passwd" {
elasticsearch {
index => "passwd1-%{+YYYY.MM.dd}"
hosts => ["192.168.1.252:9200"]
}
}
查看elasticsearch-head结果
结果是: 把#开头的合上一条合并 其他的合并一条
简单处理mysql慢日志展示
kibana展示结果