Convert Filebeat mysql.* to ECS #10008

webmat · 2019-01-11T04:59:52Z

Caveats

Got rid of workaround for an Ingest Node issue fixed in 5.0, in 2016

Renames

mysql.error.message => message
mysql.error.level => log.level
mysql.error.thread_id => process.thread.id
mysql.slowlog.ip => source.ip
mysql.slowlog.host => source.domain
mysql.slowlog.user => user.name

TODO

Add -expected.json log for the error logs
Get rid of workaround for Ingest Node's grok can't set the same field from two patterns elasticsearch#22117, which was fixed in 5.0
Set event.created
Coerce int fields: process.thread.id, mysql.slowlog.id, mysql.slowlog.rows_sent, mysql.slowlog.rows_examined and mysql.slowlog.timestamp
Coerce float fields: mysql.slowlog.query_time.sec, mysql.slowlog.lock_time.sec
Populate event.duration based on mysql.slowlog.query_time.sec
Alias renamed fields to their ECS counterpart, not forgetting migration: true
Document field migrations in ecs-migration.yml
Changelog

filebeat/module/mysql/slowlog/test/mysql-5.7.22.log

filebeat/module/mysql/slowlog/test/mysql-5.7.22.log-expected.json

webmat · 2019-01-11T14:04:42Z

jenkins, test this

Seeing no change, grab logs from ubuntu file that showcase the fix.

To make it easy to distinguish between MySQL username and the source host address.

The double multiplication is to avoid float imprecision funny business.

webmat requested review from a team as code owners January 11, 2019 04:59

webmat self-assigned this Jan 11, 2019

webmat added module review Filebeat Filebeat ecs labels Jan 11, 2019

webmat requested a review from ruflin January 11, 2019 05:02

ruflin mentioned this pull request Jan 11, 2019

Transition Beats to ECS #8655

Closed

ruflin approved these changes Jan 11, 2019

View reviewed changes

filebeat/module/mysql/slowlog/test/mysql-5.7.22.log Show resolved Hide resolved

filebeat/module/mysql/slowlog/test/mysql-5.7.22.log-expected.json Show resolved Hide resolved

urso removed the request for review from a team January 11, 2019 14:57

Mathieu Martin added 11 commits January 11, 2019 13:58

Add small but error.log and -expected file to test error pipeline

3739f2d

Convert fields from mysql.error to ECS, get rid of 5.0 workaround

0663427

Add missing conversion to first grok...

3ab2709

Seeing no change, grab logs from ubuntu file that showcase the fix.

Perform slowlog field renames

77907d7

Perform all remaining coercions

52a1107

Replace the 'apphost' username with 'appuser'...

9cda38e

To make it easy to distinguish between MySQL username and the source host address.

Populate event.duration...

71a2a08

The double multiplication is to avoid float imprecision funny business.

Wait, mysql.slowlog.timestamp is a long as well.

557b92c

Alias the transitioned fields.

0142918

Document field migrations in ecs-migration.yml

7dcec32

Changelog

a55f8e4

webmat force-pushed the ecs-mysql-fb branch from bc44960 to a55f8e4 Compare January 11, 2019 18:59

webmat merged commit 383ccce into elastic:master Jan 11, 2019

webmat deleted the ecs-mysql-fb branch January 11, 2019 19:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Convert Filebeat mysql.* to ECS #10008

Convert Filebeat mysql.* to ECS #10008

webmat commented Jan 11, 2019 •

edited

Loading

webmat commented Jan 11, 2019

Convert Filebeat mysql.* to ECS #10008

Convert Filebeat mysql.* to ECS #10008

Conversation

webmat commented Jan 11, 2019 • edited Loading

webmat commented Jan 11, 2019

webmat commented Jan 11, 2019 •

edited

Loading