David Waugh

LUA Parser to Extract Query Execute Time

Blog Post created by David Waugh Employee on Nov 25, 2016

Building on the excellent work in Security Analytics Log Parser 2.1.63.zip I had a minor irritation in that the query time was not particulary useful if you had a lot of concentrators.


A typical log message would look like:


Nov 20 07:08:46 mybroker NwBroker[3306]: [SDK-Query] [audit] User admin (session 3421280, has finished query (channel 3424049, queued 00:00:00, execute 00:20:01, id1=5729990302 id2=19760696376362 threshold=0 query="select time, ip.src, ip.dst, tcp.srcport, tcp.dstport, service, alias.host, directory, filename, query, referer, sessionid where (time='2016-Sep-01 00:00:00'-'2016-Nov-19 06:47:11') && (((alias.host contains 'bbc.com' || alias.host contains 'guardian.com' )))"


Unfortunately the part in red got put into the query.time meta key so it was not particularly useful.


I wrote a LUA parser to extract the data from Query.time so that the time the query took was put into an Integer metakey called execute.time.


Here is the LUA parser. Perhaps it will be useful for someone...


With this parser you can create reports that show your longest running queries, and who ran them.




I've updated the parser so that it has the following features:

  • Able to parse all concentrator times even if the length of querytime exceeds 256 characters, so no statistics are lost
  • Added a key to store the slowest concentrator for each query so you can identify if one particular concentrator is always the slowest. We only consider query times greater than 5 seconds for this feature.