Problem with logstash handling the mysql-slow.log

this is the filebeat.yml:

filebeat:
  prospectors:
-
  paths:
    - /usr/local/nginx/logs/mysql-slow.log
  input_type: log
  document_type: mysql-slow
  multiline:
    pattern: ^# User@Host
    negate: true
    match: after

and the mysql-slow.log is like this:

Time: 161214 1:31:38

User@Host: alltechremotecon[alltechremotecon] @ [121.201.7.19] Id: 4864505058

Schema: apppool Last_errno: 0 Killed: 0

Query_time: 5.001162 Lock_time: 0.000171 Rows_sent: 10000 Rows_examined: 330000 Rows_affected: 0

Bytes_sent: 3172809

SET timestamp=1481650298;

administrator command: Prepare;

User@Host: gcenter[gcenter] @ [192.168.168.100] Id: 4882345700

Schema: gcenter Last_errno: 0 Killed: 0

Query_time: 5.883876 Lock_time: 0.000000 Rows_sent: 0 Rows_examined: 0 Rows_affected: 0

Bytes_sent: 435

use gcenter;
SET timestamp=1481691552;
how to handle with these two different headings "# Time" "# administrator"?

I tried this way:

if [message] =~ "^# administrator" {
drop {}
}
if [message] =~ "^# Time:" {
drop {}
}
but it didn't work as expect.so,I really appreciate if you could help .....:persevere:

Why do you have the # character in the if conditional? if [message] =~ "^# administrator" {
Should it simply be if [message] =~ "^\s*administrator" {?

ok, my bad, it looks like the # character is in the data.

The answer is: you are using multiline, meaning that the message field starts with # User@Host - it will never start with # administrator or # Time

Magnus answered this here How to drop a message

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.