centos6.5:/root/sbin#cat -n vv
1 192.168.11.186,192.168.11.187 35199,3306 Dec 7, 2016 11:40:02.750520978 SELECT
2 r.trx_id waiting_trx_id,x0a r.trx_mysql_thread_id waiting_thread,x0a r.trx_query waiting_query,x0a b.trx_id blocking_trx_id,x0a b.trx_mysql_thread_id blocking_thread,x0a b.trx_query blocking_queryx0aFROMx0a information_schema.innodb_lock_waits wx0a INNER JOINx0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_idx0a INNER JOINx0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id
此时分为2行
%{IPORHOST:clientip},%{IPORHOST:serverip}s+(?<client_port>S+),(?<server_port>S+)s+(?<time>(S+s+).*?[0-9]{2}:[0-9]{2}:[0-9]{2}.d+)s+(?<running_sql>(S+s+).*)
{
"clientip": [
[
"192.168.11.186"
]
],
"serverip": [
[
"192.168.11.187"
]
],
"client_port": [
[
"35199"
]
],
"server_port": [
[
"3306"
]
],
"time": [
[
"Dec 7, 2016 11:40:02.750520978"
]
],
"running_sql": [
[
"SELECT
r.trx_id waiting_trx_id,\x0a r.trx_mysql_thread_id waiting_thread,\x0a r.trx_query waiting_query,\x0a b.trx_id blocking_trx_id,\x0a b.trx_mysql_thread_id blocking_thread,\x0a b.trx_query blocking_query\x0aFROM\x0a information_schema.innodb_lock_waits w\x0a INNER JOIN\x0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id\x0a INNER JOIN\x0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id"
]
]
}
此时可以玩转匹配
/*************
centos6.5:/root/sbin#cat -n dd
1 192.168.11.186,192.168.11.187 35199,3306 Dec 7, 2016 11:40:02.750520978 SELECT
2 r.trx_id waiting_trx_id,x0a r.trx_mysql_thread_id waiting_thread,x0a r.trx_query waiting_query,x0a b.trx_id blocking_trx_id,x0a b.trx_mysql_thread_id blocking_thread,x0a b.trx_query blocking_queryx0aFROMx0a
3 information_schema.innodb_lock_waits wx0a INNER JOINx0a information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_idx0a INNER JOINx0a information_schema.innodb_trx r ON r.trx_id = w.requesting_trx_id
换成3行
此时
{
"clientip": [
[
"192.168.11.186"
]
],
"serverip": [
[
"192.168.11.187"
]
],
"client_port": [
[
"35199"
]
],
"server_port": [
[
"3306"
]
],
"time": [
[
"Dec 7, 2016 11:40:02.750520978"
]
],
"running_sql": [
[
"SELECT
r.trx_id waiting_trx_id,\x0a r.trx_mysql_thread_id waiting_thread,\x0a r.trx_query waiting_query,\x0a b.trx_id blocking_trx_id,\x0a b.trx_mysql_thread_id blocking_thread,\x0a b.trx_query blocking_query\x0aFROM\x0a "
]
]
}
匹配不完整了
需要
(?m)%{IPORHOST:clientip},%{IPORHOST:serverip}s+(?<client_port>S+),(?<server_port>S+)s+(?<time>(S+s+).*?[0-9]{2}:[0-9]{2}:[0-9]{2}.d+)s+(?<running_sql>(S+s+).*)
在和 codec/multiline 搭配使用的时候,需要注意一个问题,
grok 正则和普通正则一样,默认是不支持匹配回车换行的。
就像你需要 =~ //m 一样也需要单独指定,具体写法是在表达式开始位置加 (?m) 标记。如下所示: