<pre name="code" class="html">在和 codec/multiline 搭配使用的时候,需要注意一个问题,grok 正则和普通正则一样,默认是不支持匹配回车换行的。就像你需要 =~ //m 一样也需要单独指定,具体写法是在表达式开始位置加 (?m) 标记。如下所示:
match => {
"message" => "(?m)s+(?<request_time>d+(?:.d+)?)s+"
}
input {
file {
type => "zj_mysql"
path => ["/data01/applog_backup/zjzc_log/zj-mysql01-slowlog.*"]
codec => multiline {
pattern => "^s+#s+User@Host:"
negate => true
what => "previous"
}
}
file {
type => "wj_mysql"
path => ["/data01/applog_backup/winfae_log/wj-mysql01-slowlog.*"]
codec => multiline {
pattern => "^s+#s+User@Host:"
negate => true
what => "previous"
}
}
}
filter {
# drop sleep events
grok {
match => { "message" => "SELECT SLEEP" }
add_tag => [ "sleep_drop" ]
tag_on_failure => [] # prevent default _grokparsefailure tag on real records
}
if "sleep_drop" in [tags] {
drop {}
}
grok {
match => [ "message","(?m)s*# User@Host:s+S+[%{USER:user}]s+@s+[%{IP:clientip}]s+(?<id>(S+s+)*S+)s*#s+Query_time:s+%{NUMBER:Query_time}s+Lock_time: %{NUMBER:lock_time}s+Rows_sent: %{NUMBER:rows_sent}s+Rows_examined: %{NUMBER:rows_examined}s*
s*SETs+timestamp=%{NUMBER:timestamp};s*(?<query>(s*S+s*).*)s*"
]
}
date {
match => [ "timestamp", "UNIX" ]
remove_field => [ "timestamp" ]
}
}
output {
if [type] == "zj_mysql" {
redis {
host => "192.168.32.67"
data_type => "list"
key => "zj_mysql:redis"
port=>"6379"
password => "1234567"
}
}
else if [type] == "wj_mysql"{
redis {
host => "192.168.32.67"
data_type => "list"
key => "wj_mysql:redis"
port=>"6379"
password => "1234567"
}
}
}