{
  "description": "Pipeline for parsing ProxySQL audit logs",
  "processors": [
    {
      "dissect": {
        "field": "client_addr",
        "pattern": "%{client_ip}:%{_client_port}"
      }
    },
    {
      "rename": {
        "field": "schemaname",
        "target_field": "schema"
      }
    },
    {
      "script": {
        "lang": "painless",
        "source": "if (ctx.duration != null && ctx.duration.endsWith('ms')) { ctx.duration_ms = Double.parseDouble(ctx.duration.replace('ms', '')); }"
      }
    },
    {
      "date": {
        "field": "timestamp",
        "target_field": "@timestamp",
        "formats": ["UNIX_MS"]
      }
    },
    {
      "remove": {
        "field": [
          "client_addr",
          "_client_port",
          "proxy_addr",
          "duration",
          "time",
          "timestamp",
          "ssl"
        ],
        "ignore_missing": true
      }
    }
  ]
}