Use two windows. In one, run logstash with the -r option, so that it restarts every time the configuration is changed. In the other, run an editor and start with a configuration like
input { file { path => "/home/user/foo.txt" sincedb_path => "/dev/null" start_position => "beginning" codec => multiline { pattern => "^# User@Host:" negate => true what => "previous" auto_flush_interval => 2 } } }
filter {
grok { match => { "message" => ["^# User@Host: %{USER:[mysql][slowlog][user]}" }
}
output { stdout { codec => rubydebug { metadata => false } } }
Then add one field at a time to the grok pattern and write the configuration out so that logstash re-reads it. Keep going until it breaks. Then fix the pattern that broke. The first place yours breaks is ''(IP:[mysql][slowlog][ip])?". I think you want %{(IP:[mysql][slowlog][ip])}. If you need that field to be optional you could use a second pattern.