File: //usr/share/filebeat/module/elasticsearch/slowlog/ingest/pipeline-json-8.yml
description: Pipeline for parsing the Elasticsearch slow logs in JSON format.
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
processors:
- json:
field: message
add_to_root: true
- dot_expander:
field: '*'
override: true
# Drop any non-slowlog messages that show up due to mixed log output configurations
- drop:
if: '!["elasticsearch.slowlog", "elasticsearch.index_indexing_slowlog", "elasticsearch.index_search_slowlog"].contains(ctx.event.dataset)'
- convert:
field: elasticsearch.slowlog.took_millis
type: float
ignore_missing: true
- rename:
field: elasticsearch.slowlog.took_millis
target_field: elasticsearch.slowlog.duration
ignore_missing: true
- grok:
field: elasticsearch.slowlog.message
pattern_definitions:
GREEDYMULTILINE: |-
(.|
)*
INDEXNAME: '[a-zA-Z0-9_.-]*'
patterns:
- (\[%{INDEXNAME:elasticsearch.index.name}\]\[%{NUMBER:elasticsearch.shard.id}\])?(%{SPACE})(\[%{INDEXNAME:elasticsearch.index.name}\/%{DATA:elasticsearch.index.id}\])?(%{SPACE})%{SPACE}(took\[%{DATA:elasticsearch.slowlog.took}\],)?%{SPACE}(took_millis\[%{NUMBER:elasticsearch.slowlog.duration:long}\],)?%{SPACE}(type\[%{DATA:elasticsearch.slowlog.type}\],)?%{SPACE}(id\[%{DATA:elasticsearch.slowlog.id}\],)?%{SPACE}(routing\[%{DATA:elasticsearch.slowlog.routing}\],)?%{SPACE}(total_hits\[%{NUMBER:elasticsearch.slowlog.total_hits:int}\],)?%{SPACE}(types\[%{DATA:elasticsearch.slowlog.types}\],)?%{SPACE}(stats\[%{DATA:elasticsearch.slowlog.stats}\],)?%{SPACE}(search_type\[%{DATA:elasticsearch.slowlog.search_type}\],)?%{SPACE}(total_shards\[%{NUMBER:elasticsearch.slowlog.total_shards:int}\],)?%{SPACE}(source\[%{GREEDYMULTILINE:elasticsearch.slowlog.source_query}\])?,?%{SPACE}(extra_source\[%{DATA:elasticsearch.slowlog.extra_source}\])?,?
- \[%{INDEXNAME:elasticsearch.index.name}\]\[%{NUMBER:elasticsearch.shard.id}\]
- set:
field: message
value: '{{ elasticsearch.slowlog.message }}'
ignore_empty_value: true
- remove:
field: elasticsearch.slowlog.message