The default/props.conf for v2.0.2 of the add-on contains two issues - both of which are generating WARNING messages in splunkd.log
Issue #1
[mysql:errorLog:mysqld_safe]
EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries \in queue
I believe that the slash before the in was an attempt to stop the "in queue" being treated as the 'regex in field' format of an EXTRACT.
I believe that the line should read:
EXTRACT-queries_in_queue = (?<queries_in_queue>[\.\d]+) queries\sin\squeue
Issue #2
[mysql:processInfo]
FIELDALIAS-cim_builder = thd_id AS process user AS user
Splunk was generating the following warning:
WARN FieldAliaser - Invalid field alias specification in stanza 'mysql:processInfo': FIELDALIAS-cim_builder='thd_id AS process user AS user'
I believe it's because of the redundant 'host AS host' and removing it in a local/props.conf appears to have confirmed this.
