efk/pipelines/mysql-slow.json

curl -H "Content-Type: application/json" -X PUT http://127.0.0.1:9200/_ingest/pipeline/mysql-slow -d '
{
    "description" : "mysql-slow",
    "processors" : [
      {
        "grok" : {
          "field" : "message",
          "patterns" : [
            "^# Time: %{DATA:mysql.slowlog.exec_time}\n# User@Host: (?:%{USER:mysql.slowlog.user}|)\\[(?:%{USER:mysql.slowlog.user}|)\\] @ (?:%{HOSTNAME:mysql.slowlog.ip}|) \\[(?:%{HOSTNAME:mysql.slowlog.ip}|)\\][^#]*# Query_time: %{NUMBER:mysql.slowlog.query_time.sec}  Lock_time: %{NUMBER:mysql.slowlog.lock_time.sec} Rows_sent: %{NUMBER:mysql.slowlog.rows_sent}  Rows_examined: %{NUMBER:mysql.slowlog.rows_examined}\n%{SQLS:mysql.slowlog.query}"
          ],
          "pattern_definitions" : {
            "SQLS" : "(.*\n?)*"
          },
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "rename" : {
          "field" : "@timestamp",
          "target_field" : "read_timestamp"
        }
      },
      {
        "rename" : {
          "field" : "mysql.slowlog.exec_time",
          "target_field" : "@timestamp",
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "remove" : {
          "field" : "message"
        }
      }
    ]
}'