Do You have andy advice that stop collect linst when appears finish of sql.
I have to catch everything after timestamp and stop collecting after finish
sql. After sql can appear anything.
W dniu czwartek, 22 grudnia 2016 09:50:08 UTC+1 użytkownik Jochen Schalanda
napisał:
>
> Hi,
>
> I'd recommend matching the timestamp as start of the log entry, e. g.
> "2016-12-05 14:07:45,399" would be matched by "\d{4}-\d{2}-\d{2}
> \d{2}:\d{2}:\d{2},\d{1,3}".
>
> See
> https://www.elastic.co/guide/en/beats/filebeat/current/multiline-examples.html
>
> for some examples.
>
> Cheers,
> Jochen
>
> On Thursday, 22 December 2016 08:53:03 UTC+1, mytempledarkstar wrote:
>>
>> Hello.
>>
>>
>> I am using filebeat to push data to graylog/elasticsearch.
>> Now i am trying to push that type of information from log file:
>>
>> 2016-12-05 14:07:45,399 |
>> SUCCESS Finished executing sql (8 ms):
>> 7ed3a851-2f36-47a5-ad12-028169d48ae4
>> select distinct
>> wp.id,
>> wp.a,
>> wp.b,
>> wp.c,
>> wp.d,
>> wp.e,
>> wp.f,
>> pp.g
>> from
>> x wp,
>> y kp,
>> x pp
>> where
>> ? between wp.dataa and wp.databb and
>> (kp.idparam = ?) and
>> ((pp.code = ?) or (pp.test = 1) and
>> (select distinct
>> count (pp.code)
>> from
>> a wp,
>> b kp,
>> c pp
>> where
>> (kp.id = ?) and
>> (pp.code = ?) and
>> (pp.idka = kp.id) and
>> (wp.idd = pp.id)
>> group by pp.code) IS NULL) and
>> (pp.code = ?) and
>> (pp.idka = kp.id) and
>> (wp.idpr = pp.id);
>>
>> 2016-12-05 14:07:45,410 | INFO |
>>
>>
>> 1. approach: I used include_ lines:
>> "SUCCESS Finished executing sql \((?:\d+) ms\): (?:[^\r\n]+)\r?\n-- Nazwa
>> wykonywanego pliku sql: (?:[^\r\n]+)\r?\n(.*?)(?:\r?\n\d\d\d\d-\d\d-\d\d
>> \d\d:\d\d:\d\d,\d\d\d|\z"
>> 2.approach:
>> multiline:
>> match: after
>> pattern: "SUCCESS Finished executing sql"
>> max_lines: 50
>> paths:
>> - /vlogfile.log
>> scan_frequency: 10s
>> tail_files: false
>>
>>
>>
>>
>> I have no idea how to catch it with regexsp.
>> I used multilinepatern but that is not working.
>> Could You help me how to work with that type of information in log file ?
>>
>> Graylog 2.1
>> Filebeat 5.1
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/fcbe9a25-757c-42c0-bf9e-e48f489a406b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
