Here is my config:
grok {
match => { message =>
"%{TIMESTAMP_ISO8601:@timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\[%{DATA:context}\])? %{GREEDYDATA:content}"
}
}
if [content] =~ "\d+ms$" {
grok {
match => { content =>
"%{WORD:command} %{WORD:database}\.(?<object>\S+) (?<slow_query>.+?) %{NUMBER:duration:int}ms"
}
add_tag => "slow_query"
remove_field => "content"
}
}
I tested with this line:
2016-03-17T18:03:27.864+0800 I COMMAND [conn2] insert ksRealtimeDB.ks-1622 ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } 1066ms
And output:
{
"message" => "2016-03-17T18:03:27.864+0800 I COMMAND [conn2] insert ksRealtimeDB.ks-1622 ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } 1066ms",
"@version" => "1",
"@timestamp" => "2016-03-17T10:06:25.776Z",
"type" => "mongodb",
"host" => "shifudaotest",
"severity" => "I",
"component" => "COMMAND",
"context" => "conn2",
"command" => "insert",
"database" => "ksRealtimeDB",
"object" => "ks-1622",
"slow_query" => "ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } }",
"duration" => 1066,
"tags" => [
[0] "slow_query"
]
}
The @timestamp field does not match the message timestamp. How could I solve this issue?