Logstash not saving additional fields

在工作弹性堆栈上,我正在尝试将 mysql slowlog 发送到 OSS elasticsearch 集群。 数据保存到 ES,例如 [event][dataset],但 [mysql][slowlog] 甚至 [mysql] 数组下的所有内容都将被丢弃。 这是我的管道配置:

input {
    beats {
        port => 5404
        ssl => true
        client_inactivity_timeout => 240
        ssl_certificate_authorities => ["........pem"]
        ssl_certificate => ".........pem"
        ssl_key => "...........pem"
        ssl_verify_mode => "force_peer"
filter {
  if [fileset][module] == "mysql" {
    if [fileset][name] == "error" {
      # [mysql][error] part, not that relevant
    else if [fileset][name] == "slowlog" {
      grok {
        match => { "message" => ["^# User@Host: %{USER:[mysql][slowlog][user]}(\[[^\]]+\])? @\s* \[%{IP:[mysql][slowlog][host]}\] \s*Id:\s* %{NUMBER:[mysql][slowlog][id]}\n# Schema: %{GREEDYDATA:[mysql][slowlog][schema]}\s* Last_errno: %{NUMBER:[mysql][slowlog][last_errno]}\s* Killed: %{NUMBER:[mysql][slowlog][killed]}\n# Query_time: %{NUMBER:[mysql][slowlog][query_time][sec]}\s* Lock_time: %{NUMBER:[mysql][slowlog][lock_time][sec]}\s* Rows_sent: %{NUMBER:[mysql][slowlog][rows_sent]}\s* Rows_examined: %{NUMBER:[mysql][slowlog][rows_examined]}\s* Rows_affected: %{NUMBER:[mysql][slowlog][rows_affected]}\n# Bytes_sent: %{NUMBER:[mysql][slowlog][bytes_sent]}\n(SET timestamp=%{NUMBER:[mysql][slowlog][timestamp]};\n)?%{GREEDYMULTILINE:[mysql][slowlog][query]}"] }
        pattern_definitions => {
          "GREEDYMULTILINE" => "(.|\n)*"
        remove_field => "message"
      date {
        match => [ "[mysql][slowlog][timestamp]", "UNIX" ]
      mutate {
        gsub => ["[mysql][slowlog][query]", "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\.[0-9]+)?$", ""]
        add_field => {"locktime" => "%{[mysql][slowlog][lock_time][sec]}"}
output {
    elasticsearch {
      user => "logstash_writer"
      password => "******"
      hosts => ["localhost:9200", "localhost:9201"]
      index => "%{[@metadata][beat]}-%{+YYYY.MM}"

即使我尝试将一些值保存到 duration 字段而不是 [mysql][slowlog][query_time][sec],或者将 [mysql][slowlog][lock_time][sec] 的值复制到新字段 locktime,字段也不会不会在 ES 上创建。几天来我真的一直在准备文档并浏览类似的问题,但不知道我的管道出了什么问题...... 这是在 ES 上创建的映射:

  "mapping": {
    "_doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        "@version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
        "agent": {
          "properties": {
            "ephemeral_id": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "hostname": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "id": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "type": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "version": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "ecs": {
          "properties": {
            "version": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "event": {
          "properties": {
            "dataset": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "module": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "fileset": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "host": {
          "properties": {
            "name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "input": {
          "properties": {
            "type": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "log": {
          "properties": {
            "file": {
              "properties": {
                "path": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "type": "keyword",
                      "ignore_above": 256
            "flags": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
            "offset": {
              "type": "long"
        "message": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
        "service": {
          "properties": {
            "type": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
        "tags": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256

这是 ES 条目的示例:

  "took" : 346,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  "hits" : {
    "total" : {
      "value" : 1220,
      "relation" : "eq"
    "max_score" : 1.0,
    "hits" : [
        "_index" : "filebeat-2020.07",
        "_type" : "_doc",
        "_id" : "SSYId3MBlOlESbQxaGQs",
        "_score" : 1.0,
        "_source" : {
          "host" : {
            "name" : "nos12"
          "input" : {
            "type" : "log"
          "agent" : {
            "version" : "7.6.1",
            "type" : "filebeat",
            "ephemeral_id" : "1decb58b-dc7e-4bf9-8942-df203ef1504f",
            "hostname" : "nos12",
            "id" : "ea3f44c8-faa3-48e5-869c-3a4703c67818"
          "tags" : [
          "event" : {
            "dataset" : "mysql.slowlog",
            "module" : "mysql"
          "@timestamp" : "2020-07-22T14:47:44.559Z",
          "fileset" : {
            "name" : "slowlog"
          "message" : """# User@Host: pmm[pmm] @  []  Id: 5737606019
# Schema:   Last_errno: 0  Killed: 0
# Query_time: 0.000215  Lock_time: 0.000052  Rows_sent: 0  Rows_examined: 0  Rows_affected: 0
# Bytes_sent: 361
SET timestamp=1595429264;
SELECT /* pmm-agent:perfschema */ `performance_schema`.`events_statements_history`.`SQL_TEXT`, `performance_schema`.`events_statements_history`.`DIGEST`, `performance_schema`.`events_statements_history`.`CURRENT_SCHEMA` FROM `performance_schema`.`events_statements_history` WHERE DIGEST IS NOT NULL AND SQL_TEXT IS NOT NULL;""",
          "service" : {
            "type" : "mysql"
          "log" : {
            "flags" : [
            "file" : {
              "path" : "/mysql_data/slowquery/slow.log"
            "offset" : 10146495
          "@version" : "1",
          "ecs" : {
            "version" : "1.4.0"


# Schema:   Last_errno: 0  Killed: 0
# Query_time: 0.000211  Lock_time: 0.000055  Rows_sent: 0  Rows_examined: 0  Rows_affected: 0
# Bytes_sent: 361
SET timestamp=1595435719;
SELECT /* pmm-agent:perfschema */ `performance_schema`.`events_statements_history`.`SQL_TEXT`, `performance_schema`.`events_statements_history`.`DIGEST`, `performance_schema`.`events_statements_history`.`CURRENT_SCHEMA` FROM `performance_schema`.`events_statements_history` WHERE DIGEST IS NOT NULL AND SQL_TEXT IS NOT NULL;

grok 调试器结果:

  "[mysql][slowlog][rows_affected]": "0",
  "[mysql][slowlog][schema]": " ",
  "[mysql][slowlog][killed]": "0",
  "[mysql][slowlog][query]": "SELECT /* pmm-agent:perfschema */ `performance_schema`.`events_statements_history`.`SQL_TEXT`, `performance_schema`.`events_statements_history`.`DIGEST`, `performance_schema`.`events_statements_history`.`CURRENT_SCHEMA` FROM `performance_schema`.`events_statements_history` WHERE DIGEST IS NOT NULL AND SQL_TEXT IS NOT NULL;",
  "[mysql][slowlog][rows_examined]": "0",
  "[mysql][slowlog][host]": "",
  "[mysql][slowlog][rows_sent]": "0",
  "[mysql][slowlog][timestamp]": "1595429264",
  "[mysql][slowlog][id]": "5737606019",
  "[mysql][slowlog][last_errno]": "0",
  "[mysql][slowlog][lock_time][sec]": "0.000052",
  "[mysql][slowlog][user]": "pmm",
  "[mysql][slowlog][query_time][sec]": "0.000215",
  "[mysql][slowlog][bytes_sent]": "361"

有趣的是,即使使用无效的 grok 模式,我也会得到相同的结果,并且没有其他管道从 mysql 捕获 filebeat 数据:/

jenni 从 discuss.elastic.co 找到了答案 - 解决方案是将 [fileset][module](不存在)更改为 [event][module]:
