I managed to solve my problem.
I missed it both from the logs and the docs, but actually this codec plugin (csv) doesn't come installed, so you have to install it first with:
bin/logstash-plugin install logstash-codec-csv
After that I had to escape newline from fields to avoid unwanted line breaks:
mutate {
gsub => [ "[Query]", "[\n]", "\\\\n" ]
gsub => [ "[PreparedQuery]", "[\n]", "\\\\n" ]
}
The plugin will take care of doubling any double quote in the data (that's how you escape doublequotes).
For the separator I have opened another thread in the forum, see: