File: //usr/share/filebeat/module/elasticsearch/slowlog/ingest/pipeline-json-7.yml
description: Pipeline for parsing the Elasticsearch slow logs in JSON format.
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
processors:
- json:
field: message
target_field: elasticsearch.slowlog
- drop:
if: ctx.elasticsearch.slowlog.type != 'index_indexing_slowlog' && ctx.elasticsearch.slowlog.type
!= 'index_search_slowlog'
- remove:
field: elasticsearch.slowlog.type
- dot_expander:
field: service.name
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.service.name
target_field: service.name
ignore_missing: true
- rename:
field: elasticsearch.slowlog.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: log.level
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.log.level
target_field: log.level
ignore_missing: true
- dot_expander:
field: log.logger
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.log.logger
target_field: log.logger
ignore_missing: true
- dot_expander:
field: process.thread.name
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.process.thread.name
target_field: process.thread.name
ignore_missing: true
- rename:
field: elasticsearch.slowlog.component
target_field: elasticsearch.component
ignore_missing: true
- dot_expander:
field: cluster.name
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.cluster.name
target_field: elasticsearch.cluster.name
- dot_expander:
field: node.name
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.node.name
target_field: elasticsearch.node.name
- dot_expander:
field: cluster.uuid
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.cluster.uuid
target_field: elasticsearch.cluster.uuid
ignore_missing: true
- dot_expander:
field: node.id
path: elasticsearch.slowlog
- rename:
field: elasticsearch.slowlog.node.id
target_field: elasticsearch.node.id
ignore_missing: true
- rename:
field: elasticsearch.slowlog.doc_type
target_field: elasticsearch.slowlog.types
ignore_missing: true
- convert:
field: elasticsearch.slowlog.took_millis
type: float
ignore_missing: true
- rename:
field: elasticsearch.slowlog.took_millis
target_field: elasticsearch.slowlog.duration
ignore_missing: true
- grok:
field: elasticsearch.slowlog.message
pattern_definitions:
GREEDYMULTILINE: |-
(.|
)*
INDEXNAME: '[a-zA-Z0-9_.-]*'
patterns:
- (\[%{INDEXNAME:elasticsearch.index.name}\]\[%{NUMBER:elasticsearch.shard.id}\])?(%{SPACE})(\[%{INDEXNAME:elasticsearch.index.name}\/%{DATA:elasticsearch.index.id}\])?(%{SPACE})%{SPACE}(took\[%{DATA:elasticsearch.slowlog.took}\],)?%{SPACE}(took_millis\[%{NUMBER:elasticsearch.slowlog.duration:long}\],)?%{SPACE}(type\[%{DATA:elasticsearch.slowlog.type}\],)?%{SPACE}(id\[%{DATA:elasticsearch.slowlog.id}\],)?%{SPACE}(routing\[%{DATA:elasticsearch.slowlog.routing}\],)?%{SPACE}(total_hits\[%{NUMBER:elasticsearch.slowlog.total_hits:int}\],)?%{SPACE}(types\[%{DATA:elasticsearch.slowlog.types}\],)?%{SPACE}(stats\[%{DATA:elasticsearch.slowlog.stats}\],)?%{SPACE}(search_type\[%{DATA:elasticsearch.slowlog.search_type}\],)?%{SPACE}(total_shards\[%{NUMBER:elasticsearch.slowlog.total_shards:int}\],)?%{SPACE}(source\[%{GREEDYMULTILINE:elasticsearch.slowlog.source_query}\])?,?%{SPACE}(extra_source\[%{DATA:elasticsearch.slowlog.extra_source}\])?,?
- \[%{INDEXNAME:elasticsearch.index.name}\]\[%{NUMBER:elasticsearch.shard.id}\]
- remove:
field: elasticsearch.slowlog.message
- set:
value: "{{ elasticsearch.slowlog.@timestamp }}"
field: "@timestamp"
ignore_empty_value: true
- set:
value: "{{ elasticsearch.slowlog.timestamp }}"
field: "@timestamp"
ignore_empty_value: true
- remove:
field: elasticsearch.slowlog.@timestamp
ignore_missing: true
- remove:
field: elasticsearch.slowlog.timestamp
ignore_missing: true
- date:
field: '@timestamp'
target_field: '@timestamp'
formats:
- ISO8601
ignore_failure: true