Aggregate and filter logs with SQL
SQL output filter¶
Filter and aggregate parsed logs with SQL.
This filter applies SQL queries on parsed log events. The result of the query is emitted as a new event, while the original events are omitted.
Using SQL it is very easy to aggregate values, e.g. group HTTP requests by status codes. The SQL WHERE statement is used to filter events before they get shipped to Elasticsearch or Logsene.
Configuration¶
Add the following section 'outputFilter' to the Logagent configuration file. Please note you could use the plugin with multiple configurations for different event sources.
input: files: - '/var/log/*/access.log' outputFilter: - module: sql config: source: !!js/regexp /access.log|httpd/ interval: 1 # every second queries: - # calculate average page size for different HTTP methods SELECT 'apache_stats' AS _type, AVG(size) AS size_avg, COUNT(method) AS method_count, method as http_method FROM ? GROUP BY method - # log each request to the login page SELECT * FROM ? WHERE path like "/wp-login%" output: elasticsearch: module: elasticsearch url: http://localhost:9200 index: mylogs
Run Logagent with your config:
logagent --config logagent-example-config.yml