Hi kvch,
Thanks for your immediate response .
But the problem remains the same.
Provided Grok expressions do not match field value
root@DB-1:/usr/local/filebeat-5.6.2-linux-x86_64/module/mysql/slowlog/ingest# curl -X DELETE 'http://10.254.254.60:9200/_ingest/pipeline/mysql_slow_logs' -u elastic -d '{"password" : "elasticpassword"}'
Enter host password for user 'elastic':
{"acknowledged":true}
root@DB-1:/usr/local/filebeat-5.6.2-linux-x86_64/module/mysql/slowlog/ingest# curl -H 'Content-Type: application/json' -X PUT 'http://10.254.254.60:9200/_ingest/pipeline/mysql_slow_logs' -d@pipeline.json -u elastic -d '{"password" : "elasticpassword"}'
Enter host password for user 'elastic':
{"acknowledged":true}
root@DB-1:/usr/local/filebeat-5.6.2-linux-x86_64/module/mysql/slowlog/ingest# curl -X GET 'http://10.254.254.60:9200/_ingest/pipeline/mysql_slow_logs?pretty' -u elastic -d '{"password" : "elasticpassword"}'
Enter host password for user 'elastic':
{
"mysql_slow_logs" : {
"description" : "Pipeline for parsing MySQL slow logs.",
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"^# Time: %{NUMBER:mysql.slowlog.date} %{TIME:mysql.slowlog.time}\n# User@Host: %{USER:mysql.slowlog.user}(\\[[^\\]]+\\])? @ %{HOSTNAME:mysql.slowlog.host}? \\[(%{IP:mysql.slowlog.ip})?\\](\\s*Id:\\s* %{NUMBER:mysql.slowlog.id})?\n# Query_time: %{NUMBER:mysql.slowlog.query_time.sec}\\s* Lock_time: %{NUMBER:mysql.slowlog.lock_time.sec}\\s* Rows_sent: %{NUMBER:mysql.slowlog.rows_sent}\\s* Rows_examined: %{NUMBER:mysql.slowlog.rows_examined}\n(SET timestamp=%{NUMBER:mysql.slowlog.timestamp};\n)?%{GREEDYMULTILINE:mysql.slowlog.query}"
],
"pattern_definitions" : {
"GREEDYMULTILINE" : "(.|\n)*"
},
"ignore_missing" : true
}
},
{
"remove" : {
"field" : "message"
}
},
{
"date" : {
"field" : "mysql.slowlog.timestamp",
"target_field" : "@timestamp",
"formats" : [
"UNIX"
],
"ignore_failure" : true
}
}
],
"on_failure" : [
{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}
]
}
}