Multiline parser

bz_Os · June 26, 2021, 3:18pm

Hello,

I am glad to joint the elastic stack community, to pars SQL logs I need to put together rows into one:

juin 26 13:30:05 sqlpc mysql-slow: SELECT fk.pib, fk.id, fk.idAccount, fk.idVad, fk.somevalue, fk.somevalue, fk.somevalue AS date, fk.somevalue, "no" AS somevalue
juin 26 13:30:05 sqlpc mysql-slow: FROM fk

juin 26 13:30:05 sqlpc mysql-slow: LEFT JOIN fkifhkj AS tfcd ON tfcd.lf = fk.id

juin 26 13:30:05 sqlpc mysql-slow: INNER JOIN somevalue ON somevalue = fk.id

juin 26 13:30:05 sqlpc mysql-slow: LEFT JOIN somevalue ON fk.id = somevalue

juin 26 13:30:05 sqlpc mysql-slow: LEFT JOIN somevalue on fk.id = somevalue

juin 26 13:30:05 sqlpc mysql-slow: WHERE (somevalue IS NULL) AND (somevalue = 'somevalue') AND (somevalue BETWEEN 'somevalue' AND 'somevalue') AND ((somevalue = 'somevalue'))

And also :

juin 26 01:06:35 pc-str END {
juin 26 01:06:35 pc-str print "processes.value " 0+processes;
juin 26 01:06:35 pc-str print "uninterruptible.value " 0+stat["D"];
juin 26 01:06:35 pc-str print "runnable.value " 0+stat["R"];
juin 26 01:06:35 pc-str print "sleeping.value " 0+stat["S"];
juin 26 01:06:35 pc-str print "idle.value " 0+stat["I"];
juin 26 01:06:35 pc-str print "stopped.value " 0+stat["T"];
juin 26 01:06:35 pc-str print "paging.value " 0+stat["W"];
juin 26 01:06:35 pc-str print "dead.value " 0+stat["X"];
juin 26 01:06:35 pc-str print "zombie.value " 0+stat["Z"];
juin 26 01:06:35 pc-str }
Can you help me to do this.

Best regards,

Badger · June 26, 2021, 6:31pm

You can combine lines using a multiline codec, but that requires a regular expression that the codec can use to know when a multiline group starts or ends.

You can combine lines with an aggregate filter, but that requires a field (a task_id) that indicates which lines should be grouped together.

You can combine lines with a ruby filter. You can write arbitrarily complex code in a ruby filter that maintains state across lines. The second example would not be very hard -- if you see END { then collect lines together until you see }. The first example is going to be much harder. Your code will need to know a lot about SQL syntax, and what can and cannot be part of a statement.

bz_Os · June 27, 2021, 12:29pm

Hello badger, thanks for the replay, I have another question, I am usoing a single syslog input for all source logs which directs the logs to the pipline concerned based on the IP address of the host. do you have any idea how i can apply multiline only for mysql-slow logs

system · July 25, 2021, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.