[ES 7.6] regular expression has redundant nested repeat operator

good day!
I'm new to ELK

Noticed that after updating ES to 7.6

a large number of messages started appearing in /var/log/messages

Feb 25 13:55:01 elasticsearch elasticsearch[23298]: regular expression has redundant nested repeat operator * /(?:(?:(?:(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?): (?<BASE10NUM:elasticsearch.gc.jvm_runtime_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))):)|(?:\[(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<POSINT:process.pid>\b(?:[1-9][0-9]*)\b)\]\[(?<DATA:elasticsearch.gc.tags>.*?)(?:\s*)*\])) Total time for which application threads were stopped: (?<BASE10NUM:elasticsearch.gc.threads_total_stop_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) seconds, Stopping threads took: (?<BASE10NUM:elasticsearch.gc.stopping_threads_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) seconds)|(?:(?:(?:(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?): (?<BASE10NUM:elasticsearch.gc.jvm_runtime_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))):)) \[GC \((?<DATA:elasticsearch.gc.phase.name>.*?)\) \[YG occupancy: (?<BASE10NUM:elasticsearch.gc.young_gen.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) K \((?<BASE10NUM:elasticsearch.gc.young_gen.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) K\)\](?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))): \[Rescan \(parallel\) , (?<BASE10NUM:elasticsearch.gc.phase.parallel_rescan_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\](?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))): \[weak refs processing, (?<BASE10NUM:elasticsearch.gc.phase.weak_refs_processing_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\](?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))): \[class unloading, (?<BASE10NUM:elasticsearch.gc.phase.class_unload_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\](?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))): \[scrub symbol table, (?<BASE10NUM:elasticsearch.gc.phase.scrub_symbol_table_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\](?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))): \[scrub string table, (?<BASE10NUM:elasticsearch.gc.phase.scrub_string_table_time_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\]\[1 CMS-remark: (?<BASE10NUM:elasticsearch.gc.old_gen.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.old_gen.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\)\] (?<BASE10NUM:elasticsearch.gc.heap.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.heap.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\), (?<BASE10NUM:elasticsearch.gc.phase.duration_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\] (?:\[Times: user=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.user_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) sys=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.sys_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))), real=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.real_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\]))|(?:(?:(?:(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?): (?<BASE10NUM:elasticsearch.gc.jvm_runtime_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))):)) \[GC \((?<DATA:elasticsearch.gc.phase.name>.*?)\) \[(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) CMS-initial-mark: (?<BASE10NUM:elasticsearch.gc.old_gen.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.old_gen.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\)\] (?<BASE10NUM:elasticsearch.gc.heap.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.heap.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\), (?<BASE10NUM:elasticsearch.gc.phase.duration_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\] (?:\[Times: user=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.user_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) sys=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.sys_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))), real=(?<BASE10NUM:elasticsearch.gc.phase.cpu_time.real_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))) secs\]))|(?:(?:\[(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<POSINT:process.pid>\b(?:[1-9][0-9]*)\b)\]\[(?<DATA:elasticsearch.gc.tags>.*?)(?:\s*)*\]) GC\((?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\) ParNew: (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K-\>(?<BASE10NUM:elasticsearch.gc.young_gen.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.young_gen.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\))|(?:(?:\[(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<POSINT:process.pid>\b(?:[1-9][0-9]*)\b)\]\[(?<DATA:elasticsearch.gc.tags>.*?)(?:\s*)*\]) GC\((?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))\) Old: (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K-\>(?<BASE10NUM:elasticsearch.gc.old_gen.used_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\((?<BASE10NUM:elasticsearch.gc.old_gen.size_kb>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))K\))|(?:(?:(?:(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?): (?<BASE10NUM:elasticsearch.gc.jvm_runtime_sec>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))):)|(?:\[(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<POSINT:process.pid>\b(?:[1-9][0-9]*)\b)\]\[(?<DATA:elasticsearch.gc.tags>.*?)(?:\s*)*\])) (?<GREEDYMULTILINE:message>(.|
Feb 25 13:55:01 SIEM-02 elasticsearch[23298]: )*))/

OS used by Centos 8

these messages are seen because of the cost of filebeat and it finds ~10,000 messages every hour.

confuses that messages in General in /var/log/messages

although in the settings it is necessary to write messages in /var/log/elasticsearch

1 Like

Hello,

I have a very same problem after upgrading from 7.5 to 7.6.
Elasticsearch logs contain a LOT of those messages, mainly after startup:

regular expression has redundant nested repeat operator * /(?:(?:[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))T :?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|+-(?::?(?:(?:[0-5][0-9])))))?)][(?LOGLEVEL:log.level([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)?][(?<DATA:elasticsearch.component>.?)(?:\s)]((?:\s*))?([(?<DATA:elasticsearch.node.name>.?)])?((?:\s))?)(?:[gc][(?NUMBER:elasticsearch.server.gc.overhead_seq(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))] overhead, spent [(?NUMBER:elasticsearch.server.gc.collection_duration.time:float(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))(?<DATA:elasticsearch.server.gc.collection_duration.unit>.?)] collecting in the last [(?NUMBER:elasticsearch.server.gc.observation_duration.time:float(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))(?<DATA:elasticsearch.server.gc.observation_duration.unit>.?)]))|(?:(?:[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))T :?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|+-(?::?(?:(?:[0-5][0-9])))))?)][(?LOGLEVEL:log.level([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)?][(?<DATA:elasticsearch.component>.?)(?:\s)]((?:\s*))?([(?<DATA:elasticsearch.node.name>.?)])?((?:\s))?)(?:[gc][young][(?NUMBER:elasticsearch.server.gc.young.one(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))][(?NUMBER:elasticsearch.server.gc.young.two(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))](?:\s*)(?GREEDYMULTILINE:message(.|
))))|(?:(?:[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))T :?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|+-(?::?(?:(?:[0-5][0-9])))))?)][(?LOGLEVEL:log.level([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s)?][(?<DATA:elasticsearch.component>.?)(?:\s)]((?:\s*))?([(?<DATA:elasticsearch.node.name>.?)])?((?:\s))?)(?:\s*)(([(?INDEXNAME:elasticsearch.index.name[a-zA-Z0-9_.-])]|[(?INDEXNAME:elasticsearch.index.name[a-zA-Z0-9_.-])/(?<DATA:elasticsearch.index.id>.?)]))?(?:\s)(?GREEDYMULTILINE:message(.|

I'm not able to figure out why this happens...

This looks like https://github.com/elastic/beats/issues/15840 , i.e. an issue with filebeat's ingest pipeline for Elasticsearch plaintext logs. It is apparently addressed in 7.6.0 but maybe you're using an old version of the pipeline. I'm moving this thread to the Beats forum since I think there will be people there who can better advise you on how you should address this.

Same wall of text is logged for the MySQL slowlog Filebeat.

Filebeat 7.6.1 on CentOS 8.

Mar 18 18:12:07 elk elasticsearch[29353]: regular expression has redundant nested repeat operator * /^# User@Host: (?<USER:user.name>(?:[a-zA-Z0-9._-]+))(\[(?<USER:mysql.slowlog.current_user>(?:[a-zA-Z0-9._-]+))\])? @ (?<HOSTNAME:source.domain>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))? \[(?<IP:source.ip>(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))?\](?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*))(Id:(?:\s*)(?<NUMBER:mysql.thread_id:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Thread_id:(?:\s*)(?<NUMBER:mysql.thread_id>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Schema:(?:\s*)(?<WORD:mysql.slowlog.schema>\b\w+\b)?(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Last_errno: (?<NUMBER:mysql.slowlog.last_errno:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Killed: (?<NUMBER:mysql.slowlog.killed:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(QC_hit: (?<WORD:mysql.slowlog.query_cache_hit>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Query_time: (?<NUMBER:temp.duration:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Lock_time: (?<NUMBER:mysql.slowlog.lock_time.sec:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Rows_sent: (?<NUMBER:mysql.slowlog.rows_sent:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Rows_examined: (?<NUMBER:mysql.slowlog.rows_examined:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Rows_affected: (?<NUMBER:mysql.slowlog.rows_affected:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Thread_id: (?<NUMBER:mysql.thread_id>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Errno: (?<NUMBER:mysql.slowlog.last_errno:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Killed: (?<NUMBER:mysql.slowlog.killed:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Bytes_received: (?<NUMBER:mysql.slowlog.bytes_received:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Bytes_sent: (?<NUMBER:mysql.slowlog.bytes_sent:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_first: (?<NUMBER:mysql.slowlog.read_first:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_last: (?<NUMBER:mysql.slowlog.read_last:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_key: (?<NUMBER:mysql.slowlog.read_key:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_next: (?<NUMBER:mysql.slowlog.read_next:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_prev: (?<NUMBER:mysql.slowlog.read_prev:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_rnd: (?<NUMBER:mysql.slowlog.read_rnd:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Read_rnd_next: (?<NUMBER:mysql.slowlog.read_rnd_next:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Sort_merge_passes: (?<NUMBER:mysql.slowlog.sort_merge_passes:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Sort_range_count: (?<NUMBER:mysql.slowlog.sort_range_count:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Sort_rows: (?<NUMBER:mysql.slowlog.sort_rows:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Sort_scan_count: (?<NUMBER:mysql.slowlog.sort_scan_count:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Created_tmp_disk_tables: (?<NUMBER:mysql.slowlog.tmp_disk_tables:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Created_tmp_tables: (?<NUMBER:mysql.slowlog.tmp_tables:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Tmp_tables: (?<NUMBER:mysql.slowlog.tmp_tables:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Tmp_disk_tables: (?<NUMBER:mysql.slowlog.tmp_disk_tables>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Tmp_table_sizes: (?<NUMBER:mysql.slowlog.tmp_table_sizes:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Start: (?<TIMESTAMP_ISO8601:event.start>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(End: (?<TIMESTAMP_ISO8601:event.end>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_trx_id: (?<WORD:mysql.slowlog.innodb.trx_id>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(QC_Hit: (?<WORD:mysql.slowlog.query_cache_hit>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Full_scan: (?<WORD:mysql.slowlog.full_scan>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Full_join: (?<WORD:mysql.slowlog.full_join>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Tmp_table: (?<WORD:mysql.slowlog.tmp_table>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Tmp_table_on_disk: (?<WORD:mysql.slowlog.tmp_table_on_disk>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Filesort: (?<WORD:mysql.slowlog.filesort>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Filesort_on_disk: (?<WORD:mysql.slowlog.filesort_on_disk>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Merge_passes: (?<NUMBER:mysql.slowlog.merge_passes:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Priority_queue: (?<WORD:mysql.slowlog.priority_queue>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(No InnoDB statistics available for this query(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_IO_r_ops: (?<NUMBER:mysql.slowlog.innodb.io_r_ops:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_IO_r_bytes: (?<NUMBER:mysql.slowlog.innodb.io_r_bytes:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_IO_r_wait: (?<NUMBER:mysql.slowlog.innodb.io_r_wait.sec:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_rec_lock_wait: (?<NUMBER:mysql.slowlog.innodb.rec_lock_wait.sec:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_queue_wait: (?<NUMBER:mysql.slowlog.innodb.queue_wait.sec:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(InnoDB_pages_distinct: (?<NUMBER:mysql.slowlog.innodb.pages_distinct:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Log_slow_rate_type: (?<WORD:mysql.slowlog.log_slow_rate_type>\b\w+\b)(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(Log_slow_rate_limit: (?<NUMBER:mysql.slowlog.log_slow_rate_limit:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?:([ #
Mar 18 18:12:07 elk elasticsearch[29353]: ]*)))?(?:(# explain:.*
Mar 18 18:12:07 elk elasticsearch[29353]: |#\s*
Mar 18 18:12:07 elk elasticsearch[29353]: )*)?(use (?<WORD:mysql.slowlog.schema>\b\w+\b);
Mar 18 18:12:07 elk elasticsearch[29353]: )?SET timestamp=(?<NUMBER:mysql.slowlog.timestamp:long>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))));
Mar 18 18:12:07 elk elasticsearch[29353]: (?<GREEDYMULTILINE:mysql.slowlog.query>(.|
Mar 18 18:12:07 elk elasticsearch[29353]: )*)/

Since my bug report was closed due to it not being confirmed - is anyone else seeing these?

Can someone please fix this? The bug's rendered our site search totally useless.

Same here after jumping to 7.6.x.
ES 7.6.1
Filebeat 7.6.1 with mysql slow queries module enabled.

A fix is in the works:

The same problem with MySQL in 7.6.2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

If you find this topic via a Search-engine and you still see the error after upgrading to a newer version which contains the fix, then please note that the old pipelines are probably still installed on your Elasticsearch deployment and need to be removed manually for the error to disappear. See Filebeat Elasticsearch module pipeline causing regex error on Elasticsearch cluster node · Issue #15840 · elastic/beats · GitHub.

1 Like