Using @timestamp field in SQL queries

prwillmot · September 7, 2018, 11:13am

given a simple sample index, the following works perfectly running from Kibana dev console and includes @timestamp as a column in the output:

POST _xpack/sql?format=txt
{
"query":"SELECT * FROM sampleindex LIMIT 10"
}

and, the following also works as expected assuming fieldA and fieldB exist in the index:

POST _xpack/sql?format=txt
{
"query":"SELECT fieldA, fieldB FROM sampleindex LIMIT 10"
}

BUT, when I try to include the @timestamp column in the select list I get error (see end of this post):

POST _xpack/sql?format=txt
{
"query":"SELECT @timestamp, fieldA, fieldB FROM sampleindex LIMIT 10"
}

Do we need to use some form of escape prefix for the '@'?

ERROR OUTPUT starts here:

{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "line 1:8: mismatched input '@timestamp' expecting {'(', 'ANALYZE', 'ANALYZED', 'CAST', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXISTS', 'EXPLAIN', 'EXTRACT', 'FALSE', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'LEFT', 'MAPPED', 'MATCH', 'NOT', 'NULL', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TRUE', 'TYPE', 'TYPES', 'VERIFY', '{FN', '{D', '{T', '{TS', '{GUID', '+', '-', '', '?', STRING, INTEGER_VALUE, DECIMAL_VALUE, IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}"
}
],
"type": "parsing_exception",
"reason": "line 1:8: mismatched input '@timestamp' expecting {'(', 'ANALYZE', 'ANALYZED', 'CAST', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXISTS', 'EXPLAIN', 'EXTRACT', 'FALSE', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'LEFT', 'MAPPED', 'MATCH', 'NOT', 'NULL', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TRUE', 'TYPE', 'TYPES', 'VERIFY', '{FN', '{D', '{T', '{TS', '{GUID', '+', '-', '', '?', STRING, INTEGER_VALUE, DECIMAL_VALUE, IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}",
"caused_by": {
"type": "input_mismatch_exception",
"reason": null
}
},
"status": 400
}

Andrei_Stefan · September 10, 2018, 6:39am

@prwillmot you need to escape that field name with double quotes. Something like "query": "SELECT \"@timestamp\", fieldA, fieldB FROM sampleindex LIMIT 10".

prwillmot · September 10, 2018, 7:04am

many thanks, this works perfectly

system · October 8, 2018, 7:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.