Hi,
MySQL module does not support 5.6?
The MySQL module was tested with logs from versions 5.5 and 5.7.
I modified pipeline.json,but...
- filebeat versions 5.6.2
- elasticsearch versions 5.6.2
- MySQL versions 5.6.33-0ubuntu0.14.04.1
And here is my sample log file:
/usr/sbin/mysqld, Version: 5.6.33-0ubuntu0.14.04.1-log ((Ubuntu)). started with:
Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock
Time Id Command Argument
# Time: 171011 11:54:41
# User@Host: root[root] @ [10.254.254.91] Id: 54014516
# Query_time: 21.340617 Lock_time: 0.000098 Rows_sent: 63264 Rows_examined: 63264
use aaa;
SET timestamp=1507694081;
select * from kkk;
# Time: 171011 11:55:48
# User@Host: root[root] @ [10.254.254.91] Id: 54014516
# Query_time: 43.426563 Lock_time: 0.000093 Rows_sent: 63264 Rows_examined: 63264
SET timestamp=1507694148;
select * from kkk;
mysql/slowlog/ingest/pipeline.json
{
"description": "Pipeline for parsing MySQL slow logs.",
"processors": [{
"grok": {
"field": "message",
"patterns":[
"^# Time: %{NUMBER:mysql.slowlog.date} %{TIME:mysql.slowlog.time}\n# User@Host: %{USER:mysql.slowlog.user}\\[%{WORD}\\] @ %{WORD:mysql.slowlog.dbhost}? \\[%{IP:mysql.slowlog.ip}\\]?(\\s*Id: %{NUMBER:mysql.slowlog.id})?\n# Query_time: %{NUMBER:mysql.slowlog.query_time.sec}\\s* Lock_time: %{NUMBER:mysql.slowlog.lock_time.sec}\\s* Rows_sent: %{NUMBER:mysql.slowlog.rows_sent}\\s* Rows_examined: %{NUMBER:mysql.slowlog.rows_examined}\n(SET timestamp=%{NUMBER:mysql.slowlog.timestamp};\n)?%{GREEDYMULTILINE:mysql.slowlog.query}"
],
"pattern_definitions" : {
"GREEDYMULTILINE" : "(.|\n)*"
},
"ignore_missing": true
}
}, {
"remove":{
"field": "message"
}
}, {
"date": {
"field": "mysql.slowlog.timestamp",
"target_field": "@timestamp",
"formats": ["UNIX"],
"ignore_failure": true
}
}
],
"on_failure" : [{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}
mysql/slowlog/config/slowlog.yml
input_type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
multiline:
pattern: '^# Time: '
negate: true
match: after
exclude_lines: ['^[\/\w\.]+, Version: .* started with:.*']
Thanks for your help