Replace @timestamp value with SQL DB datetime value

zakkhan · March 13, 2018, 2:19pm

I have tried everything but nothing worked. I need to replace @timestamp with my Datetime column value.

Format of both values
Datetime: 2017-08-23T13:20:09.000Z
@timesatmp: 2018-03-13T12:11:38.080Z

input {
jdbc {
jdbc_driver_library => "C:\Program Files\Microsoft JDBC Driver 6.0 for SQL Server\sqljdbc_6.0\enu\jre8\sqljdbc42.jar"
jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
jdbc_connection_string => "jdbc:sqlserver://serverName:Port;user=user;password=password;database=DBNAME;"
jdbc_user => "user"
jdbc_password => "password"
statement => "SELECT 'BizTalk Application' As PlatformType,[ServiceName] AS Platform,[MachineName] AS HOST,[DateTime],[ExceptionMessage] As Message FROM [QAEsbExceptionDb].[dbo].[Fault]"
type => "esblogs"
}
beats{
port=> "5044"
}
}

filter {
mutate{
add_field => [ "Received_at", "%{@timestamp}"]
convert => [ "DateTime", "string" ]
}
date{
match => [ "DateTime", "YYYY-MM-dd HH:mm:ss.SSSZ" ]
target => "@timestamp"
}
}

output{
stdout { codec => rubydebug }
}

Badger · March 13, 2018, 2:36pm

That does not match the format you have given for DateTime. Try

match => [ "DateTime", "YYYY-MM-dd'T'HH:mm:ss.SSS'Z'" ]

zakkhan · March 13, 2018, 2:42pm

I tried this but still no luck.

    "datetime" => 2017-11-03T10:18:54.000Z,
        "host" => "BTSBPMQA01",
        "type" => "esblogs",
    "@version" => "1",
"PlatformType" => "BizTalk Application",
  "@timestamp" => 2018-03-13T14:41:29.067Z,

Badger · March 13, 2018, 2:56pm

Field names are case sensitive. Try

match => [ "datetime", "YYYY-MM-dd'T'HH:mm:ss.SSS'Z'" ]

Christian_Dahlqvist · March 13, 2018, 3:02pm

As the datetime field is not formatted as a string (no surrounding ") in the rubydebug output, it could already be date object. You may be able to just copy it over without using the date plugin.

zakkhan · March 13, 2018, 3:27pm

I tried this as well. But didn't work:
mutate
{
copy=> [ "timestamp", "datetime"]
}

Output:

  "datetime" => 2017-11-03T10:19:00.000Z,
      "host" => "BTSBPMQA01",
      "type" => "esblogs",
  "@version" => "1",
"PlatformType" => "BizTalk Application",
"@timestamp" => 2018-03-13T15:23:42.031Z,

and when i tried with this:
mutate
{
copy=> [ "@timestamp", "datetime"]
}
It throws exceptiopn:
Exception in thread "Ruby-0-Thread-54@[main]>worker0: :1" java.lang.NullPointerException

vinodr · March 14, 2018, 4:33am

@zakkhan Can you try the below date filter:

  date {
    match => [ "datetime", "ISO8601" ]
  }

Reference:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

zakkhan · March 14, 2018, 10:55am

Thanks but still not working.

magnusbaeck · March 14, 2018, 2:16pm

Known issue, see https://github.com/logstash-plugins/logstash-filter-date/issues/95 for workaround.

zakkhan · March 14, 2018, 2:20pm

Is this the right way to access DB column i.e. [DateTime] in filter section.

date{
match => ["DateTime", "YYYY-MM-dd HH:mm:ss.SSS"]
target => "@timestamp"
}

magnusbaeck · March 14, 2018, 2:39pm

Is this the right way to access DB column i.e. [DateTime] in filter section.

Yes.

zakkhan · March 14, 2018, 3:00pm

I am stuck. When i hard-code exact value of DateTime column in a temp field and use it instead of DateTime it works.

#DateTime = "2017-12-04 20:52:41.000"

mutate {
add_field => ["NewTimestamp","2017-12-04 20:52:41.000"]
}
date{
match => ["NewTimestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
target => "@timestamp"
}

magnusbaeck · March 14, 2018, 7:09pm

Did you read the GitHub issue I posted a link to?

zakkhan · March 15, 2018, 8:17am

Thanks. I was using wrong format of datetime conversion. My issue has been resolved now.

system · April 12, 2018, 8:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.