pegasuskim/sar.conf

## sar.conf
input {
  pipe {
    tags => [ "sar", "loadavg" ]
    command => "env LANG=C sar -q 5"
  }
  pipe {
    tags => [ "sar", "cpu" ]
    command => "env LANG=C sar -u 5"
  }
}

filter {
  if "sar" in [tags] {
    if "loadavg" in [tags] {
      grok {
        match => { "message" => "\A(?<timestamp>%{HOUR}:%{MINUTE}:%{SECOND})\s+%{NUMBER:runqueueSize:int}\s+%{NUMBER:processListSize:int}\s+%{NUMBER:loadAvg1:float}\s+%{NUMBER:loadAvg5:float}\s+%{NUMBER:loadAvg15:float}" }
        remove_field => [ "message" ]
      }
    }
    if "cpu" in [tags] {
      grok {
        match => { "message" => "\A(?<timestamp>%{HOUR}:%{MINUTE}:%{SECOND})\s+all\s+%{NUMBER:user:float}\s+%{NUMBER:nice:float}\s+%{NUMBER:system:float}\s+%{NUMBER:iowait:float}\s+%{NUMBER:steal:float}\s+%{NUMBER:idle:float}\z" }
        remove_field => [ "message" ]
      }
    }
    if "_grokparsefailure" in [tags] and [message] =~ /\A(?:Linux|$|\d\d:\d\d:\d\d\s++[^0-9.\s])/ {
       # drop header lines
       drop { }
    }
  }
}

output {
  # your output configuration here
}
	input {
	pipe {
	tags => [ "sar", "loadavg" ]
	command => "env LANG=C sar -q 5"
	}
	pipe {
	tags => [ "sar", "cpu" ]
	command => "env LANG=C sar -u 5"
	}
	}

	filter {
	if "sar" in [tags] {
	if "loadavg" in [tags] {
	grok {
	match => { "message" => "\A(?<timestamp>%{HOUR}:%{MINUTE}:%{SECOND})\s+%{NUMBER:runqueueSize:int}\s+%{NUMBER:processListSize:int}\s+%{NUMBER:loadAvg1:float}\s+%{NUMBER:loadAvg5:float}\s+%{NUMBER:loadAvg15:float}" }
	remove_field => [ "message" ]
	}
	}
	if "cpu" in [tags] {
	grok {
	match => { "message" => "\A(?<timestamp>%{HOUR}:%{MINUTE}:%{SECOND})\s+all\s+%{NUMBER:user:float}\s+%{NUMBER:nice:float}\s+%{NUMBER:system:float}\s+%{NUMBER:iowait:float}\s+%{NUMBER:steal:float}\s+%{NUMBER:idle:float}\z" }
	remove_field => [ "message" ]
	}
	}
	if "_grokparsefailure" in [tags] and [message] =~ /\A(?:Linux\|$\|\d\d:\d\d:\d\d\s++[^0-9.\s])/ {
	# drop header lines
	drop { }
	}
	}
	}

	output {
	# your output configuration here
	}