this is the filebeat.yml:
filebeat: prospectors: - paths: - /usr/local/nginx/logs/mysql-slow.log input_type: log document_type: mysql-slow multiline: pattern: ^# User@Host negate: true match: after
and the mysql-slow.log is like this:
Time: 161214 1:31:38
User@Host: alltechremotecon[alltechremotecon] @ [121.201.7.19] Id: 4864505058
Schema: apppool Last_errno: 0 Killed: 0
Query_time: 5.001162 Lock_time: 0.000171 Rows_sent: 10000 Rows_examined: 330000 Rows_affected: 0
Bytes_sent: 3172809
SET timestamp=1481650298;
administrator command: Prepare;
User@Host: gcenter[gcenter] @ [192.168.168.100] Id: 4882345700
Schema: gcenter Last_errno: 0 Killed: 0
Query_time: 5.883876 Lock_time: 0.000000 Rows_sent: 0 Rows_examined: 0 Rows_affected: 0
Bytes_sent: 435
use gcenter;
SET timestamp=1481691552;
how to handle with these two different headings "# Time" "# administrator"?
I tried this way:
if [message] =~ "^# administrator" {
drop {}
}
if [message] =~ "^# Time:" {
drop {}
}
but it didn't work as expect.so,I really appreciate if you could help .....