nicklaw5/filebeat.yml

## filebeat.yml
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
- input_type: log
  document_type: mariadb-slowlogs
  paths:
    - "/var/log/mysql/mariadb-slow.log"
  multiline:
    pattern: '^# User@Host: '
    negate: true
    match: after

## logstash-grok-filter.conf
filter {
  if [type] == "mariadb-slowlogs" {
    # Drop "Time" line since it does not appear on every log entry
    if [message] =~ "^# Time: " {
      drop {}
    }
    grok {
      match => [ "message", "%{MYSQLSLOWLOGCOMBINED}" ]
    }
    date {
      match => [ "query_timestamp", "UNIX" ]
    }
  }
}

## pattern.conf
MYSQLSLOWLOGHOST # User@Host: %{USER:query_user}?(\[%{WORD}\])? @ %{HOSTNAME:query_host} \[%{IP:query_ip}?\]\n
MYSQLSLOWLOGSTATS1 # Thread_id: %{NUMBER:query_thread_id:int}  Schema: %{DATA:query_schema}  QC_hit: %{DATA:query_qc_hit}\n
MYSQLSLOWLOGSTATS2 # Query_time: %{NUMBER:query_time:float}  Lock_time: %{NUMBER:query_lock_time:float}  Rows_sent: %{NUMBER:query_rows_sent:int}  Rows_examined: %{NUMBER:query_rows_examined:int}\n
MYSQLSLOWLOGSTATS3 # Rows_affected: %{NUMBER:query_rows_affected:int}\n
MYSQLSLOWLOGSTATS4 (?:# Full_scan: %{DATA:query_full_scan}  Full_join: %{DATA:query_full_join}  Tmp_table: %{DATA:query_tmp_table}  Tmp_table_on_disk: %{DATA:query_tmp_table_on_disk}\n)?
MYSQLSLOWLOGSTATS5 (?:# Filesort: %{DATA:query_filesort}  Filesort_on_disk: %{DATA:query_filesort_on_disk}  Merge_passes: %{DATA:query_merge_passes}  Priority_queue: %{DATA:query_priority_queue}\n)?
MYSQLSLOWLOGQUERYSQL SET timestamp=%{NUMBER:query_timestamp:int};\n%{GREEDYDATA:query_sql}
MYSQLSLOWLOGCOMBINED %{MYSQLSLOWLOGHOST}%{MYSQLSLOWLOGSTATS1}%{MYSQLSLOWLOGSTATS2}%{MYSQLSLOWLOGSTATS3}%{MYSQLSLOWLOGSTATS4}%{MYSQLSLOWLOGSTATS5}%{MYSQLSLOWLOGQUERYSQL}
	#=========================== Filebeat prospectors =============================
	filebeat.prospectors:
	- input_type: log
	document_type: mariadb-slowlogs
	paths:
	- "/var/log/mysql/mariadb-slow.log"
	multiline:
	pattern: '^# User@Host: '
	negate: true
	match: after
	filter {
	if [type] == "mariadb-slowlogs" {
	# Drop "Time" line since it does not appear on every log entry
	if [message] =~ "^# Time: " {
	drop {}
	}
	grok {
	match => [ "message", "%{MYSQLSLOWLOGCOMBINED}" ]
	}
	date {
	match => [ "query_timestamp", "UNIX" ]
	}
	}
	}
	MYSQLSLOWLOGHOST # User@Host: %{USER:query_user}?(\[%{WORD}\])? @ %{HOSTNAME:query_host} \[%{IP:query_ip}?\]\n
	MYSQLSLOWLOGSTATS1 # Thread_id: %{NUMBER:query_thread_id:int} Schema: %{DATA:query_schema} QC_hit: %{DATA:query_qc_hit}\n
	MYSQLSLOWLOGSTATS2 # Query_time: %{NUMBER:query_time:float} Lock_time: %{NUMBER:query_lock_time:float} Rows_sent: %{NUMBER:query_rows_sent:int} Rows_examined: %{NUMBER:query_rows_examined:int}\n
	MYSQLSLOWLOGSTATS3 # Rows_affected: %{NUMBER:query_rows_affected:int}\n
	MYSQLSLOWLOGSTATS4 (?:# Full_scan: %{DATA:query_full_scan} Full_join: %{DATA:query_full_join} Tmp_table: %{DATA:query_tmp_table} Tmp_table_on_disk: %{DATA:query_tmp_table_on_disk}\n)?
	MYSQLSLOWLOGSTATS5 (?:# Filesort: %{DATA:query_filesort} Filesort_on_disk: %{DATA:query_filesort_on_disk} Merge_passes: %{DATA:query_merge_passes} Priority_queue: %{DATA:query_priority_queue}\n)?
	MYSQLSLOWLOGQUERYSQL SET timestamp=%{NUMBER:query_timestamp:int};\n%{GREEDYDATA:query_sql}
	MYSQLSLOWLOGCOMBINED %{MYSQLSLOWLOGHOST}%{MYSQLSLOWLOGSTATS1}%{MYSQLSLOWLOGSTATS2}%{MYSQLSLOWLOGSTATS3}%{MYSQLSLOWLOGSTATS4}%{MYSQLSLOWLOGSTATS5}%{MYSQLSLOWLOGQUERYSQL}