Following is my config file for the following log file.

input :

input {
file {
path => "/Users/atul.maurya/Desktop/Data1/squery1.txt"
start_position => "beginning"
since_db => "NUL"

codec => multiline {
  pattern => "^# User@Host:"
  negate => true
  what => previous
}

}
}
filter {
grok {
match => {
message => [
"# User@Host: %{USER:user}[[^]+]] @ %{HOST:host} [%{IP:ip}?\ \sId: %{NUMBER:id:int}]",
"# Query_time: %{NUMBER:duration:float} \sLock_time: %{NUMBER:lock_wait:float} \sRows_sent: %{NUMBER:results:int} \sRows_examined: %{NUMBER:scanned:int}",
"use channelplay_%{:client};",
"SET timestamp=%{NUMBER:timestamp};",
"%{GREEDYDATA}"
]
}
}
date {
match => [ "timestamp" , "UNIX"]
}
mutate {
remove_field => "timestamp"
}
}

output {
stdout {
codec => dots {}
}

elasticsearch {
hosts => "localhost:9200"
index => "slow1"
}
}

and following is the log

Time: 190606 9:23:13

User@Host: db_usr_retaility[db_usr_retaility] @ [10.0.2.8] Id: 448634

Query_time: 10.587880 Lock_time: 0.000429 Rows_sent: 81 Rows_examined: 17762397

use channelplay_pernorica;
SET timestamp=1559793193;
SELECT MMP.master_id, P.project_id, P.parent_outlet,
UM.user_revision_id, PM.project_revision_id FROM
cp_cm_user_prj_role_owner_assign PA INNER JOIN cp_cm_project P ON
PA.project_id = P.project_id INNER JOIN cp_project_role PR ON
PA.project_id = PR.project_id AND PA.role_id = PR.role_id INNER JOIN
cp_cm_roles_mobile_access R ON PR.prj_role_id = R.prj_role_id INNER
JOIN cp_cm_menu_mobile MM ON R.menu_id = MM.menu_id INNER JOIN
cp_inbound_menu_mapping MMP ON MM.menu_id = MMP.menu_id LEFT JOIN
(SELECT MAX(id) AS user_revision_id, master_id, project_id FROM
cp_cm_revision_user_master GROUP BY master_id, project_id ) UM ON
P.project_id = UM.project_id AND MMP.master_id = UM.master_id LEFT JOIN
(SELECT MAX(id) AS project_revision_id, master_id, project_id FROM
cp_cm_revision_project_master GROUP BY master_id, project_id ) PM ON
P.project_id = PM.project_id AND MMP.master_id = PM.master_id WHERE
PA.user_id = 1995 AND R.access IN (1) AND P.is_active = 1 AND PA.active
= 1 GROUP BY MMP.master_id, P.project_id;

Time: 190606 9:25:06

User@Host: db_usr_retaility[db_usr_retaility] @ [10.0.2.7] Id: 452567

Query_time: 10.557897 Lock_time: 0.000501 Rows_sent: 41 Rows_examined: 17762035

use channelplay_pernorica;
SET timestamp=1559793306;
SELECT MMP.master_id, P.project_id, P.parent_outlet,
UM.user_revision_id, PM.project_revision_id FROM
cp_cm_user_prj_role_owner_assign PA INNER JOIN cp_cm_project P ON
PA.project_id = P.project_id INNER JOIN cp_project_role PR ON
PA.project_id = PR.project_id AND PA.role_id = PR.role_id INNER JOIN
cp_cm_roles_mobile_access R ON PR.prj_role_id = R.prj_role_id INNER
JOIN cp_cm_menu_mobile MM ON R.menu_id = MM.menu_id INNER JOIN
cp_inbound_menu_mapping MMP ON MM.menu_id = MMP.menu_id LEFT JOIN
(SELECT MAX(id) AS user_revision_id, master_id, project_id FROM
cp_cm_revision_user_master GROUP BY master_id, project_id ) UM ON
P.project_id = UM.project_id AND MMP.master_id = UM.master_id LEFT JOIN
(SELECT MAX(id) AS project_revision_id, master_id, project_id FROM
cp_cm_revision_project_master GROUP BY master_id, project_id ) PM ON
P.project_id = PM.project_id AND MMP.master_id = PM.master_id WHERE
PA.user_id = 2088 AND R.access IN (1) AND P.is_active = 1 AND PA.active
= 1 GROUP BY MMP.master_id, P.project_id;

Time: 190606 9:25:14

error faced at config

Something is wrong with your configuration.", :backtrace=>["C:/Users/atul.maurya/Desktop/loger/logstash-core/lib/logstash/config/mixin.rb:86:in config_init'", "C:/Users/atul.maurya/Desktop/loger/logstash-core/lib/logstash/inputs/base.rb:60:ininitialize'", "org/logstash/plugi

There should be another error message preceding this one.

Query_time: 10.587880 Lock_time: 0.000429 Rows_sent: 81 Rows_examined: 17762397

grok {
match => [ "message" , "^# Query_time: %{NUMBER:dur:float}",\s+Lock_time: %{NUMBER:wait:float} Rows_sent: %{NUMBER:rows:int} \s*Rows_examined: %{NUMBER:examined:int}"]
}

Ran this in grokdebugger but it shows no match found.

input {
file {
type => "tomcat"
path => "/Users/atul.maurya/Desktop/Data1/tom.txt"
start_position => "beginning"
since_db => "NUL"
}
}
filter
{
multiline {
patterns_dir => "/Users/atul.maurya/Desktop/pattern"
pattern => "(^%{TOMCAT_DATESTAMP})|(^%{CATALINA_DATESTAMP})"
negate => true
what => "previous"
}
if "_grokparsefailure" in [tags] {
drop { }
}
grok {
patterns_dir => "/Users/atul.maurya/Desktop/pattern"
match => [ "message", "%{TOMCATLOG}", "message", "%{CATALINALOG}" ]
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS Z", "MMM, dd, yyyy HH:mm:ss a" ]
}
}

output {

stdout {
codec => dots {}
}
elasticsearch {
embedded => true
index => "tom"
}
}

pattern list :

JAVACLASS (?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+
JAVALOGMESSAGE (.*)
CATALINA_DATESTAMP %{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
TOMCAT_DATESTAMP 20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}
CATALINALOG %{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}
TOMCATLOG %{TOMCAT_DATESTAMP:timestamp} | %{LOGLEVEL:level} | %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}

still error : something wrong with your config. please help !

Getting same error on different log files

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.