Hi,
I have a config file which is used to get the slowlogs .And in that i want only the queries content in the source_body .
Can anyone help me how to acheive this?
input {
file {
path => "F:\elasticsearch-2.4.0\elasticsearch-2.4.0\logs\elasticsearch_index_search_slowlog.log"
start_position => "beginning"
}
}
filter {
grok { # parses the common bits
match => [ "message", "[%{TIMESTAMP_ISO8601:TIMESTAMP}][%{LOGLEVEL:LEVEL}%{SPACE}][%{DATA:QUERY}]%{SPACE}[%{DATA:QUERY1}]%{SPACE}[%{DATA:INDEX-NAME}][%{DATA:SHARD}]%{SPACE}took[%{DATA:TOOK}],%{SPACE}took_millis[%{DATA:TOOKM}], types[%{DATA:types}], stats[%{DATA:stats}], search_type[%{DATA:search_type}], total_shards[%{NUMBER:total_shards}], source[%{DATA:source_query}], extra_source[%{DATA:extra_source}],"]
}
mutate {
gsub => [
"source", "], extra_source[$", ""
]
}
}
output {
stdout { codec => rubydebug }
}
My output is like this:
"total_shards" => "5",
"types" => "details",
"LEVEL" => "WARN",
"message" => "[2017-01-14 10:59:58,593][WARN ][index.search.slowlog.query] [yaswanth] [bank][1] took[52.2ms], took_millis[52], types[details], stats[], search_type[QUERY_THEN_FETCH], total_shards[5], source[{\"sort\":[{\"balance\":{\"order\":\"asc\"}}]}], extra_source[], \r",
"SHARD" => "1",
"search_type" => "QUERY_THEN_FETCH",
"tags" => [],
"QUERY1" => "yaswanth",
"TOOK" => "52.2ms",
"path" => "F:\\elasticsearch-2.4.0\\elasticsearch-2.4.0\\logs\\elasticsearch_index_search_slowlog.log",
"TOOKM" => "52",
"source_query" => "{\"sort\":[{\"balance\":{\"order\":\"asc\"}}]}",
"@timestamp" => 2017-01-14T13:27:16.685Z,
"INDEX-NAME" => "bank",
"QUERY" => "index.search.slowlog.query",
"TIMESTAMP" => "2017-01-14 10:59:58,593",
"@version" => "1",
"host" => "yaswanth"
And i also wanted to remove the quotations(i.e instead of "host"=>"yaswanth" i want host=>yaswanth
Any help can be highly appreciated?
