如何在 fluentd 中将多行 mysql-slow-log 收集为单行格式?
How to collect multiline mysql-slow-log to single line format in fluentd?
我要传以下日志
# Time: 210226 12:28:55
# User@Host: root[root] @ localhost []
# Query_time: 0.025196 Lock_time: 0.000074 Rows_sent: 10000 Rows_examined: 10000
SET timestamp=1614310135;
select * from posts;
我的fluent.conf文件配置如下:
<source>
type tail_asis_alternative
path /var/log/mysql/slow.log
pos_file /var/log/td-agent/pos/slow.log.pos
tag raw.mysql-slowlog
</source>
<match raw.mysql-slowlog.**>
type parser
remove_prefix raw
format /^(?<message>.*)/
time_format %d-%b-%Y %H:%M:%S %Z
key_name message
</match>
我得到的结果是多行而不是一行
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# Time: 210226 12:21:59"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# User@Host: root[root] @ localhost []"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# Query_time: 0.028777 Lock_time: 0.000146 Rows_sent: 10000 Rows_examined: 10000"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"SET timestamp=1614309719;"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"select * from posts;"}
顺便说一句,我可以使用 fluent-plugin-mysqlslowquerylog.[=15 将多行 MySQL-slow-log 收集到流利的单行格式=]
我的 fluent.conf 文件将日志从数据库服务器转发到 fluentdserver:
<source>
@type tail
path /var/log/mysql/slow.log
format /^(?<message>.+)$/
tag "slowlog.#{Socket.gethostname}"
</source>
<match slowlog.*.*.*>
type mysqlslowquerylog
add_tag_prefix mysql.
</match>
<match mysql.slowlog.*.*.*>
@type keep_forward
heartbeat_type tcp
phi_threshold 100
buffer_type file
buffer_path /var/log/td-agent/buffer/out_forward_mysqlslowlog
flush_interval 30s
retry_limit 20000
max_retry_wait 2m
flush_at_shutdown true
<server>
host fluentd001.xxx.com
port 24220
weight 50
</server>
</match>
我从fluentd服务器到elasticsearch服务器的配置文件。
注意:我们还需要fluentd-plugin-forest为每个标签部分动态输出插件,
<match mysql.slowlog.*.*.*>
type forest
subtype copy
<template>
<store>
type elasticsearch
hosts eslastic001.xxx.com
port 9200
buffer_type file
buffer_path /var/log/td-agent/buffer/out_elasticsearch_mysqlslowlog
logstash_format true
logstash_prefix mysql.slowlog-${tag_parts[2]}.${tag_parts[3]}.${tag_parts[4]}
flush_interval 30s
retry_limit 20000
flush_at_shutdown true
</store>
</template>
</match>
这里是 elasticsearch 服务器的结果
user:root[root] host:localhost query_time:0.04 lock_time:0
rows_sent:20,000 rows_examined:20,000 sql:SET timestamp=1614658245;
select * from posts; @timestamp:Mar 2, 2021 @ 11:10:45.000
_id:bmgi8XcBSRAHV-rAiGNR _type:fluentd _index:mysql.slowlog-app001.xxx.com-2021.03.02 _score: -
我要传以下日志
# Time: 210226 12:28:55
# User@Host: root[root] @ localhost []
# Query_time: 0.025196 Lock_time: 0.000074 Rows_sent: 10000 Rows_examined: 10000
SET timestamp=1614310135;
select * from posts;
我的fluent.conf文件配置如下:
<source>
type tail_asis_alternative
path /var/log/mysql/slow.log
pos_file /var/log/td-agent/pos/slow.log.pos
tag raw.mysql-slowlog
</source>
<match raw.mysql-slowlog.**>
type parser
remove_prefix raw
format /^(?<message>.*)/
time_format %d-%b-%Y %H:%M:%S %Z
key_name message
</match>
我得到的结果是多行而不是一行
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# Time: 210226 12:21:59"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# User@Host: root[root] @ localhost []"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"# Query_time: 0.028777 Lock_time: 0.000146 Rows_sent: 10000 Rows_examined: 10000"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"SET timestamp=1614309719;"}
20210226T122159+0900 mysql-slowlog.db0001 {"message":"select * from posts;"}
顺便说一句,我可以使用 fluent-plugin-mysqlslowquerylog.[=15 将多行 MySQL-slow-log 收集到流利的单行格式=]
我的 fluent.conf 文件将日志从数据库服务器转发到 fluentdserver:
<source>
@type tail
path /var/log/mysql/slow.log
format /^(?<message>.+)$/
tag "slowlog.#{Socket.gethostname}"
</source>
<match slowlog.*.*.*>
type mysqlslowquerylog
add_tag_prefix mysql.
</match>
<match mysql.slowlog.*.*.*>
@type keep_forward
heartbeat_type tcp
phi_threshold 100
buffer_type file
buffer_path /var/log/td-agent/buffer/out_forward_mysqlslowlog
flush_interval 30s
retry_limit 20000
max_retry_wait 2m
flush_at_shutdown true
<server>
host fluentd001.xxx.com
port 24220
weight 50
</server>
</match>
我从fluentd服务器到elasticsearch服务器的配置文件。
注意:我们还需要fluentd-plugin-forest为每个标签部分动态输出插件,
<match mysql.slowlog.*.*.*>
type forest
subtype copy
<template>
<store>
type elasticsearch
hosts eslastic001.xxx.com
port 9200
buffer_type file
buffer_path /var/log/td-agent/buffer/out_elasticsearch_mysqlslowlog
logstash_format true
logstash_prefix mysql.slowlog-${tag_parts[2]}.${tag_parts[3]}.${tag_parts[4]}
flush_interval 30s
retry_limit 20000
flush_at_shutdown true
</store>
</template>
</match>
这里是 elasticsearch 服务器的结果
user:root[root] host:localhost query_time:0.04 lock_time:0 rows_sent:20,000 rows_examined:20,000 sql:SET timestamp=1614658245; select * from posts; @timestamp:Mar 2, 2021 @ 11:10:45.000 _id:bmgi8XcBSRAHV-rAiGNR _type:fluentd _index:mysql.slowlog-app001.xxx.com-2021.03.02 _score: -