Skip to content

Instantly share code, notes, and snippets.

@modeyang

modeyang/logstash_mysql.conf

Last active September 7, 2017 10:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save modeyang/35d96466daacf345c0ce749450e55ea5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save modeyang/35d96466daacf345c0ce749450e55ea5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
logstash_mysql.conf
input {
file {
type => "mysql-slow"
path => ["/root/mysql-slow.log"]
start_position => "beginning"
codec => multiline {
pattern => "^# User@Host:"
negate => true
what => "previous"
}
}
}
filter {
# drop sleep events
grok {
match => { "message" => "SELECT SLEEP" }
add_tag => [ "sleep_drop" ]
tag_on_failure => [] # prevent default _grokparsefailure tag on real records
}
if "sleep_drop" in [tags] {
drop {}
}
grok {
match => ["message", "# User@Host: %{USER:user}\[[^\]]+\] @ (?:(?<clienthost>\S*) )?\[(?:%{IP:clientip})?\]\s*.+?#\sQuery_time: %{NUMBER:query_time}\s+Lock_time: %{NUMBER:lock_time}\s+Rows_sent: %{NUMBER:rows_sent}\s+Rows_examined: %{NUMBER:rows_examined}\s*.+?(?:use %{DATA:database};\s*)?SET timestamp=%{NUMBER:timestamp};.*?n?(?<query>(?<action>\w+)\s+.*;)%{GREEDYDATA}"]
}
date {
match => [ "timestamp", "UNIX" ]
remove_field => [ "timestamp" ]
}
ruby {
code => '
require "open3"
if event.get("query").nil?
return
end
cmd = "./pt-fingerprint --query " + "\"" + event.get("query") + "\""
stdout, _, _ = Open3.capture3(cmd)
if !stdout.nil?
event.set("query_finger", stdout.chomp)
end
'
}
mutate {
convert => {"query_time" => "float"}
convert => {"lock_time" => "float"}
convert => {"rows_examined" => "integer"}
convert => {"rows_sent" => "integer"}
remove_field => ["message"]
}
}
output {
stdout { codec => rubydebug }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment