Filebeat merge several lines from mysql-slow.log into one line

Vladpov · November 8, 2019, 8:18pm

Hello everyone,

I'm trying to analyze mysql-slow.log by using Filebeat Logstash and Elasticsearch. I have messages in mysql-slow.log file that look like this:

# Time: 2019-11-08T20:02:05.474508Z
# User@Host: user[user] @ localhost []  Id:     2
# Query_time: 0.000716  Lock_time: 0.000223 Rows_sent: 2  Rows_examined: 2
SET timestamp=1573243325;
select * from Persons;

First I try to make Filebeat send this log message with 5 lines to elasticsearch but all of them together in one line.

I set multiline input in filebeat.yml

multiline.pattern = `^\#`
multiline.negate = true
multiline.match = after

Unfortunately it doesn't work and elasticsearch recieves lines separately

message --> # Time: 2019-11-08T20:02:05.474508Z
message --> # User@Host: user[user] @ localhost [?] Id: 2 and so on...

I want to recieve it in one message in the following format:

# Time: 2019-11-08T20:02:05.474508Z # User@Host: user[user] @ localhost []  Id:     2 # Query_time: 0.000716  Lock_time: 0.000223 Rows_sent: 2  Rows_examined: 2 SET timestamp=1573243325; select * from Persons;

Thanks for any help!

exekias · November 13, 2019, 11:32am

Hi @Vladpov,

I'm wondering, did you try the MySQL module for this? It should take care of configuring the input for you, including slowlog: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-mysql.html

Best regards

system · December 11, 2019, 11:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.