How to remove newline using multiline config in filebeat
Log file:
2020-06-01T07:44:31.300103 H 80 DHandler.cpp:953 stdlog sql_execute 11201 9 handcrafted admin 431-856b {"query","client","execution_time","total_time"} {"SELECT user.id AS user_meta_id, user_meta.security_risk_score AS user_meta_security_risk_score FROM user_meta WHERE 2 = ANY user_meta.department_ids ORDER BY user_meta.security_risk_score DESC LIMIT 10","http:10.10.10.1","8","9"}
Expect:
Every FROM, WHERE and LIMIT has a new line before this string. it should come single line sql
This is created to multiple lines but need to access like single line in filebeat.yml
Any help?
2020-06-01T15:57:48.499723 H 15 Handler.cpp:93 stdlog sql_execute 34697 9 handcraft user 748-Nue0 {"query_str","client","execution_time","total_time"} {"SELECT user_meta.id AS user _meta_id, user_meta.security_risk_score AS user_meta_security_risk_score
FROM user_meta
WHERE 0 = 1 ORDER BY user_meta.security_risk_score DESC
LIMIT 10","http:192.168.1.213","9","9"}
Hi Andre,
Thanks a lot your suggestion. Actually I have used this pattern and some other pattern for my filebeat. Its work for few queries. Not all the queries (long queries with JOIN, select in side the select ). Is there any query string limitation on filebeat?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.