# comment
input{
	file{
		path => ["/etc/logstash/conf.d/logstash/elasticsearch_slowlogs/es_slowlog.log"]
                start_position => "beginning"
                sincedb_path => "/dev/null"
		codec => plain {
                    charset => "ISO-8859-15" #Reads plaintext with no delimiting between events
        	}
	}
}
filter {
	grok {
		match => { "message" => ['\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{LOGLEVEL:level}\]\[%{HOSTNAME:type}\]%{SPACE}\[%{HOSTNAME:[node_name]}\]%{SPACE}\[%{WORD:[index_name]}\]%{NOTSPACE}%{SPACE}took\[%{NUMBER:took_micro}%{NOTSPACE}\]%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{NOTSPACE}%{SPACE}search_type\[%{WORD:search_type}\]%{NOTSPACE}%{SPACE}total_shards\[%{NUMBER:total_shards}\]%{NOTSPACE}%{SPACE}source%{GREEDYDATA:query}\Z']}
	}
	
	mutate{
		remove_field => ["@version","@timestamp","host","path","logTook"] 
	}
} 
output{
	elasticsearch{
		hosts => ["localhost:9200"] 
		index => "es-slow-logs" 
	}
	stdout { 
		codec => "rubydebug"
	 }
}