mysql:

 Server version: 5.7.17 

mysql日志格式:

logstash简单收集mysql慢日志-5_第1张图片

简单的要求

 需要慢sql和慢sql的查询时间和切换的库

logstash配置写法

input {
   file {
     path => "/data/soft/mysql-slow.log"
     start_position => "beginning"
     type => "mysql-slow"
      codec => multiline {
      pattern => "^# User@Host:"
      negate => true
      what => previous
     }

   }
}
output {
  if[type] == "mysql-slow" {
    elasticsearch {
     index => "mysql-slow1-%{+YYYY.MM.dd}"
     hosts => ["192.168.1.252:9200"]
    }
 }
}
codec的multiline插件
 使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并。
    input {
        stdin {
        codec => multiline {
        pattern => "^\[" #当遇到[开头的行时候将多行进行合并
        negate => true  #true为匹配成功进行操作,false为不成功进行操作
        what => "previous"  #与上面的行合并,如果是下面的行合并就是next
        }}
}

测试输出

 input {
 file {
   path => "/data/soft/mysql-slow.log"
   start_position => "beginning"
   type => "mysql-slow"
    codec => multiline {
    pattern => "^# User@Host:"
    negate => true
    what => previous
   }

 }
file {
   path => "/etc/passwd"
   start_position => "beginning"
   type => "passwd"
    codec => multiline {
    pattern => "^#"
    negate => true
    what => previous
   }
}

output {
 if[type] == "mysql-slow" {
   elasticsearch {
    index => "mysql-slow1-%{+YYYY.MM.dd}"
    hosts => ["192.168.1.252:9200"]
   }
}
if[type] == "passwd" {
  elasticsearch { 
    index => "passwd1-%{+YYYY.MM.dd}"
    hosts => ["192.168.1.252:9200"] 

  }
}

logstash简单收集mysql慢日志-5_第2张图片
查看elasticsearch-head结果
logstash简单收集mysql慢日志-5_第3张图片
结果是: 把#开头的合上一条合并 其他的合并一条

简单处理mysql慢日志展示

logstash简单收集mysql慢日志-5_第4张图片
kibana展示结果
logstash简单收集mysql慢日志-5_第5张图片