Using 7.1 Can't set @timestamp from message

pgervais · June 4, 2019, 2:17pm

I have a simple logstash definition file as shown below.
I can parse my message date properly with no dateparse error shown.
I cannot set the @timestamp with the ObsDate from my message input stream.
As well, the ruby output shows all my csv field names in lower case which is not the case in the sql db.
I have even tried to remove the Target statement in date filter as the documentation states its not required and becomes the default when not specified.

All output are essentially the same as:
{
"avgnetworktraffickbsec" => 0.0,
"@timestamp" => 2019-06-04T14:07:17.536Z,
"obsdate" => 2019-04-30T04:00:00.000Z,
"totalcpuloadmips" => 118.41,
"obshour" => 17,
"@version" => "1"
}

This config file is used to parse the sql data extracted from the db entry:CB_EZ14A

input {
jdbc {
jdbc_driver_library => "/home/pxg110/sqljdbc_4.2/sqljdbc42.jar"
jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
jdbc_user => "XXXXXXXXXXX"
jdbc_password => "XXXXXXXXXXXXX"
jdbc_connection_string => "jdbc:sqlserver://SD01CUVDB0521.OMEGA.DCE-EIR.NET:1433;"
statement => "SELECT ObsDate,ObsHour,TotalCPULoadMIPS,AvgNetworkTrafficKBsec FROM smg.dbo.smgdata WHERE (TransClass='CB_EZ14A') AND (ObsDate >= CONVERT(DATETIME, '2019-04-01', 102)) AND (ObsDate <= CONVERT(DATETIME, '2019-04-30', 102)) ORDER BY ObsDate;"
}
}
filter {
fingerprint {
source => "message"
target => "[@metadata][fingerprint]"
method => "SHA1"
key => "Tue_Jun_2019_08_25_CB_EZ14A"
base64encode => true
}

defines all the fields to be found in the csv file.

    csv {
            separator => " "
            columns =>    [
                    "ObsDate",
                    "ObsHour",
                    "TotalCPULoadMIPS",
                    "AvgNetworkTrafficKBsec"
            ]
            convert =>    {
                    "ObsDate"  =>  "date"
                    "ObsHour"  =>  "integer"
                    "TotalCPULoadMIPS"  =>  "float"
                    "AvgNetworkTrafficKBsec"  =>  "float"
            }
    }
    date {
            match => [ "ObsDate", "ISO8601"]
            target => "@timestamp"
   }
    mutate {
            remove_field => [ "ObsDate", "ObsHour"]
    }

}

output {

elasticsearch {

action => "index"

hosts => "localhost:9200"

document_id => "%{[@metadata][fingerprint]}"

index => "Tue_Jun_2019_08_25_CB_EZ14A"

#}
stdout {codec => rubydebug}

stdout {}

}

Badger · June 4, 2019, 6:09pm

Note that the value of obsdate does not have quotes around it, so it is not a string, but was already converted to a LogStash::Timestamp by the jdbc filter. A date filter cannot parse that. This is a known issue and the workaround is to mutate+convert the field to a string.

pgervais · June 4, 2019, 7:56pm

Badger , Thanks for the hint.
I have made the following minor mods based on the "known issue" provided as shown below.

   mutate {
            convert => { "obsdate" => "string" }
    }

Note: It only worked when I renamed my SQL fields name to lower case. EX: ObsDate => obsdate.
I suspects this is a jdc side effect.

system · July 2, 2019, 7:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - set @timestamp from sql date column with JDBC input Logstash	4	4228	September 1, 2017
Date filter failing to set logs time as @timestamp field Logstash	4	1774	July 6, 2017
Date-filter - Issue with setting @timestamp with the value from my log Logstash	10	758	May 30, 2019
Problem with xml filter Logstash	12	4021	May 2, 2017
Datetime from MySQL via JDBC --> @timestamp assignment fails with _dateparsefailure Logstash	3	1183	January 8, 2020