I'm losing my mind here so I'm hoping someone can point out where I'm being dumb.
My DB view has a date field and the dates are formatted "yyyy-MM-dd" (2023-08-15). However, when ingesting the data from the view with Logstash it freaking turns it into a Timestamp (2023-08-15T06:00:00.000Z) and I cannot figure out how to stop it from doing that.
I've tried:
Enforcing conversion to a date from the statement (created::date).
Using the DateFilter
date {
match => ["created", "yyyy-MM-dd"]
target => "created"
}
as well as using a date filter to try and push it into a whole new field
date {
match => ["created", "yyyy-MM-dd"]
target => "created_date"
}
and it just keeps the timestamp format no matter what I've tried. No errors during startup or indexing (unless I try to enforce the format in the custom-mappings file in which I get a date_time_parse exception because it's trying to format the timestamp into a date).
Installed the date_formatter plugin and I got it to format the date properly but for some fields it just spits out a bunch of warning log messages (with typo) if the field column is empty in the db.
Unsupporter source field. It is neither a ruby Time or a Logstash::Timestamp
Can I just do this somehow with Ruby Code? By just converting the date to a string and formatting it from there? Or maybe a better way? It really shouldn't be this difficult, especially since the DB already has the data in the date format I want! Why does Logstash convert it to a Timestamp?!
This is able to convert the date field properly that comes from the main query. The if statement is needed for a null check, otherwise you get a flood of warning messages whenever the object has a null for that particular field. Remember to remove the old source field later in the mutate {} block
The next issue I had is we join in child objects using the jdbc_streaming plugin and I also needed to parse any dates that occurred there:
The jdbc input will automatically convert a date column fetched from the DB to a LogStash::Timestamp, no date filter required. And yes, that is usually a good thing.
It can be changed to a string in any desired date using ruby+strftime.
Because the field isn't a timestamp in the DB; it's just a date. And the users wouldn't/don't care to see a "00:00:00:000" at the end of date fields for all their records.
ruby+strftime is what I ended up using (see above) for the jdbc_streaming areas. I'm planning on converting the date_formatter blocks to use it as well.
No, they get the data returned from a frontend UI based on their search criteria. And instead of having to loop through 10's of thousands of records to parse dates to the format they want every time they run a report it (should be) easier to just have it be indexed that way in the first place.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.