Mysql slow log cannot parse

Elastic Stack Beats
1

filebeat version is 6.2.3
mysql version is 5.6.38

I install filebeat filebeat-6.2.3-linux-x86_64.tar.gz. and start mysql modules.
when I start filebeat with mysql 5.1.73 and parse mysql slow log , it can parse the slow log success. but when I start filebeat with mysql 5.6.38 , it cannot parse mysql slow log ,the error is:

Provided Grok expressions do not match field value: .....

and when I execute a SQL in mysql , it will split two message and send to elasticseach. the SQL is "select sleep(2);". filebeat will send '\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9]0-9?$' to elasticsearch.

so what should I do ? change the mysql slow pipeline.json ?

2

I have change the config/slowlog.yml file .

exclude_lines: ['^[\/\w\.]+, Version: .* started with:.*','^# Time.*']   # Exclude the header

and the slow log can parse success and cannot see the error in kibana

Provided Grok expressions do not match field value: .....

and I also chane the pipeline.json file.
before change:

"^# User@Host: %{USER:mysql.slowlog.user}(\\[[^\\]]+\\])? @ %{HOSTNAME:mysql.slowlog.host} \\[(%{IP:mysql.slowlog.ip})?\\](\\s*Id:\\s* %{NUMBER:mysql.slowlog.id})?\n# Query_time: %{NUMBER:mysql.slowlog.query_time.sec}\\s* Lock_time: %{NUMBER:mysql.slowlog.lock_time.sec}\\s* Rows_sent: %{NUMBER:mysql.slowlog.rows_sent}\\s* Rows_examined: %{NUMBER:mysql.slowlog.rows_examined}\n(SET timestamp=%{NUMBER:mysql.slowlog.timestamp};\n)?%{GREEDYMULTILINE:mysql.slowlog.query}"

alter change:

"^# User@Host: %{USER:mysql.slowlog.user}(\\[[^\\]]+\\])? @ %{HOSTNAME:mysql.slowlog.host} \\[(IP:mysql.slowlog.ip)?\\](\\s*Id:\\s* %{NUMBER:mysql.slowlog.id})?\n# Query_time: %{NUMBER:mysql.slowlog.query_time.sec}\\s* Lock_time: %{NUMBER:mysql.slowlog.lock_time.sec}\\s* Rows_sent: %{NUMBER:mysql.slowlog.rows_sent}\\s* Rows_examined: %{NUMBER:mysql.slowlog.rows_examined}\n(SET timestamp=%{NUMBER:mysql.slowlog.timestamp};\n)?%{GREEDYMULTILINE:mysql.slowlog.query}"
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.