input { file { type =>"mysql-slow" path =>"/home/www/mysql-slow.log" start_position => "beginning" } } filter { # drop sleep events grok { match => { "message" =>"SELECT SLEEP" } add_tag => [ "sleep_drop" ] tag_on_failure => [] # prevent default _grokparsefailure tag on real records } # grok { # match => { "message" =>"recode something about" } # add_tag => [ "recode_drop" ] # tag_on_failure => [] # prevent default _grokparsefailure tag on real records # } if "sleep_drop" in [tags] { drop {} } # if "recode_drop" in [tags] { # drop {} # } multiline { pattern =>"^# Time: " negate => true what =>"previous" } grok { # match => { "message" => "(?m)^#\s+Time\s?.*\s+#\s+User@Host:\s+%{USER:user}\[[^\]]+\]\s+@\s+(?:(?\S*) )?\[(?:%{IPV4:clientip})?\]\s+Id:\s+%{NUMBER:row_id:int}\n#\s+Query_time:\s+%{NUMBER:query_time:float}\s+Lock_time:\s+%{NUMBER:lock_time:float}\s+Rows_sent:\s+%{NUMBER:rows_sent:int}\s+Rows_examined:\s+%{NUMBER:rows_examined:int}\n\s*(?:use %{DATA:database};\s*\n)?SET\s+timestamp=%{NUMBER:timestamp};\n\s*(?(?\w+)((.|\n)*[\w.*\W.*])*;)\s*$" } match => { "message" => "(?m)^#\s+Time\s?.*\s+#\s+User@Host:\s+%{USER:user}\[[^\]]+\]\s+@\s+(?:(?\S*) )?\[(?:%{IPV4:clientip})?\]\s+Id:\s+%{NUMBER:row_id:int}\n#\s+Query_time:\s+%{NUMBER:query_time:float}\s+Lock_time:\s+%{NUMBER:lock_time:float}\s+Rows_sent:\s+%{NUMBER:rows_sent:int}\s+Rows_examined:\s+%{NUMBER:rows_examined:int}\n\s*(?:use %{DATA:database};\s*\n)?SET\s+timestamp=%{NUMBER:timestamp};\n\s*(?(.|\n)*;)\s*$" } } date { match => [ "timestamp", "UNIX" ] remove_field => [ "message" ] } } output { stdout { codec => rubydebug } elasticsearch { #action => "index" hosts => ["elk:9200","elk2:9200","elk3:9200"] index => "mysql-slowlog" user => "elastic" template_overwrite => true password => "UpdZtZ9yC3kxzbToFDme" } }