centos6.5:/root/sbin#cat -n vv
1 192.168.11.186,192.168.11.187 35199,3306 Dec 7, 2016 11:40:02.750520978 SELECT
2 r.trx_id waiting_trx_id,\x0a r.trx_mysql_thread_id waiting_thread,\x0a r.trx_query waiting_query,\x0a b.trx_id blocking_trx_id,\x0a b.trx_mysql_thread_id blocking_thread,\x0a b.trx_query blocking_query\x0aFROM\x0a information_schema.innodb_lock_waits w\x0a INNER JOIN\x0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id\x0a INNER JOIN\x0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id
此时分为2行
%{IPORHOST:clientip},%{IPORHOST:serverip}\s+(?<client_port>\S+),(?<server_port>\S+)\s+(?<time>(\S+\s+).*?[0-9]{2}:[0-9]{2}:[0-9]{2}\.\d+)\s+(?<running_sql>(\S+\s+).*)
{
"clientip": [
[
"192.168.11.186"
]
],
"serverip": [
[
"192.168.11.187"
]
],
"client_port": [
[
"35199"
]
],
"server_port": [
[
"3306"
]
],
"time": [
[
"Dec 7, 2016 11:40:02.750520978"
]
],
"running_sql": [
[
"SELECT \n r.trx_id waiting_trx_id,\\x0a r.trx_mysql_thread_id waiting_thread,\\x0a r.trx_query waiting_query,\\x0a b.trx_id blocking_trx_id,\\x0a b.trx_mysql_thread_id blocking_thread,\\x0a b.trx_query blocking_query\\x0aFROM\\x0a information_schema.innodb_lock_waits w\\x0a INNER JOIN\\x0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id\\x0a INNER JOIN\\x0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id"
]
]
}
此时可以玩转匹配
/*************
centos6.5:/root/sbin#cat -n dd
1 192.168.11.186,192.168.11.187 35199,3306 Dec 7, 2016 11:40:02.750520978 SELECT
2 r.trx_id waiting_trx_id,\x0a r.trx_mysql_thread_id waiting_thread,\x0a r.trx_query waiting_query,\x0a b.trx_id blocking_trx_id,\x0a b.trx_mysql_thread_id blocking_thread,\x0a b.trx_query blocking_query\x0aFROM\x0a
3 information_schema.innodb_lock_waits w\x0a INNER JOIN\x0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id\x0a INNER JOIN\x0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id
换成3行
此时
{
"clientip": [
[
"192.168.11.186"
]
],
"serverip": [
[
"192.168.11.187"
]
],
"client_port": [
[
"35199"
]
],
"server_port": [
[
"3306"
]
],
"time": [
[
"Dec 7, 2016 11:40:02.750520978"
]
],
"running_sql": [
[
"SELECT \n r.trx_id waiting_trx_id,\\x0a r.trx_mysql_thread_id waiting_thread,\\x0a r.trx_query waiting_query,\\x0a b.trx_id blocking_trx_id,\\x0a b.trx_mysql_thread_id blocking_thread,\\x0a b.trx_query blocking_query\\x0aFROM\\x0a "
]
]
}
匹配不完整了
需要
(?m)%{IPORHOST:clientip},%{IPORHOST:serverip}\s+(?<client_port>\S+),(?<server_port>\S+)\s+(?<time>(\S+\s+).*?[0-9]{2}:[0-9]{2}:[0-9]{2}\.\d+)\s+(?<running_sql>(\S+\s+).*)
在和 codec/multiline 搭配使用的时候,需要注意一个问题,
grok 正则和普通正则一样,默认是不支持匹配回车换行的。
就像你需要 =~ //m 一样也需要单独指定,具体写法是在表达式开始位置加 (?m) 标记。如下所示:
