churrops/filebeat-mysql-slowlog-pipeline.json

## filebeat-mysql-slowlog-pipeline.json
{
  "description": "Pipeline for parsing MySQL slow logs.",
  "processors": [{
    "grok": {
      "field": "message",
      "patterns":[
        "^# Time: (?<mysql_slowlog_time>%{NUMBER}%{SPACE}%{TIME})(.|\r|\n)*# User@Host: %{USER:mysql_slowlog_user}\\[%{USER:mysql_slowlog_current_user}\\] @ %{HOSTNAME:mysql_slowlog_client_host}? \\[%{IP:mysql_slowlog_client_ip}?\\](.|\r|\n)*# Thread_id:%{SPACE}%{NUMBER:mysql_slowlog_id}  Schema: %{WORD:mysql_slowlog_schema}?  QC_hit: %{WORD:mysql_slowlog_qc_hit}(.|\r|\n)*# Query_time: %{NUMBER:mysql_slowlog_query_time_sec}  Lock_time: %{NUMBER:mysql_slowlog_lock_time}  Rows_sent: %{NUMBER:mysql_slowlog_rows_sent}  Rows_examined: %{NUMBER:mysql_slowlog_rows_examined}(.|\r|\n)*SET timestamp=%{NUMBER:mysql_slowlog_timestamp};(.|\n)%{GREEDYDATA:mysql_slowlog_query}"
        ],
      "pattern_definitions" : {
        "GREEDYMULTILINE" : "(.|\n)*"
      },
      "ignore_missing": true
    }
  }, {
    "remove":{
      "field": "message"
    }
  }, {
    "date": {
      "field": "mysql.slowlog.timestamp",
      "target_field": "@timestamp",
      "formats": ["UNIX"],
      "ignore_failure": true
    }
  }, {
    "gsub": {
      "field": "mysql.slowlog.query",
       "pattern": "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\\.[0-9]+)?$",
       "replacement": "",
       "ignore_failure": true
    }
  }],
  "on_failure" : [{
    "set" : {
      "field" : "error.message",
      "value" : "{{ _ingest.on_failure_message }}"
    }
  }]
}
	{
	"description": "Pipeline for parsing MySQL slow logs.",
	"processors": [{
	"grok": {
	"field": "message",
	"patterns":[
	"^# Time: (?<mysql_slowlog_time>%{NUMBER}%{SPACE}%{TIME})(.\|\r\|\n)# User@Host: %{USER:mysql_slowlog_user}\\[%{USER:mysql_slowlog_current_user}\\] @ %{HOSTNAME:mysql_slowlog_client_host}? \\[%{IP:mysql_slowlog_client_ip}?\\](.\|\r\|\n)# Thread_id:%{SPACE}%{NUMBER:mysql_slowlog_id} Schema: %{WORD:mysql_slowlog_schema}? QC_hit: %{WORD:mysql_slowlog_qc_hit}(.\|\r\|\n)# Query_time: %{NUMBER:mysql_slowlog_query_time_sec} Lock_time: %{NUMBER:mysql_slowlog_lock_time} Rows_sent: %{NUMBER:mysql_slowlog_rows_sent} Rows_examined: %{NUMBER:mysql_slowlog_rows_examined}(.\|\r\|\n)SET timestamp=%{NUMBER:mysql_slowlog_timestamp};(.\|\n)%{GREEDYDATA:mysql_slowlog_query}"
	],
	"pattern_definitions" : {
	"GREEDYMULTILINE" : "(.\|\n)*"
	},
	"ignore_missing": true
	}
	}, {
	"remove":{
	"field": "message"
	}
	}, {
	"date": {
	"field": "mysql.slowlog.timestamp",
	"target_field": "@timestamp",
	"formats": ["UNIX"],
	"ignore_failure": true
	}
	}, {
	"gsub": {
	"field": "mysql.slowlog.query",
	"pattern": "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\\.[0-9]+)?$",
	"replacement": "",
	"ignore_failure": true
	}
	}],
	"on_failure" : [{
	"set" : {
	"field" : "error.message",
	"value" : "{{ _ingest.on_failure_message }}"
	}
	}]
	}