topic Re: Why tail monitor configuration receiving dbconnect error Illegal pattern character &quot;I&quot; in Security https://community.splunk.com/t5/Security/Why-tail-monitor-configuration-receiving-dbconnect-error-Illegal/m-p/145520#M14597 <P><CODE>output.timestamp.format</CODE> needs to expressed as a Java SimpleDateFormat pattern, not a SQL date format. So your setting should be:</P> <PRE><CODE>output.timestamp.format = yyyy-MM-dd HH:mm:ss </CODE></PRE> Wed, 16 Jul 2014 17:28:14 GMT gkanapathy 2014-07-16T17:28:14Z Why tail monitor configuration receiving dbconnect error Illegal pattern character "I" https://community.splunk.com/t5/Security/Why-tail-monitor-configuration-receiving-dbconnect-error-Illegal/m-p/145519#M14596 <P>I am trying to setup a tail monitor on Oracle audit tables. Below is my configuration but I am receiving the dbconnect error Illegal pattern character "I" (full error below). Looking at previous posts I think it might be something with the timestamp formating. Someone must has gotten Oracle DB audit log table monitoring working from dbconnect rather than writing the audit logs out to a file</P> <PRE><CODE>[dbmon-tail://AMS/P17-Audit] host = P17 index = oracle_audit interval = auto output.format = kv output.timestamp = 1 output.timestamp.column = TIMESTAMP output.timestamp.format = YYYY-MM-DD HH24:MI:SS query = select to_char(timestamp,'YYYY-MM-DD HH24:MI:SS'), os_username,username,userhost,owner,obj_name,action,action_name,new_owner,new_name,obj_privilege,sys_privilege,admin_option,grantee,to_char(logoff_time,'YYYY-MM-DD HH24:MI:SS'), comment_text,sessionid,returncode,priv_used,sql_text from sys.dba_audit_trail {{WHERE $rising_column$ &gt; to_date (?,'YYYY-MM-DD HH:MI:SS')}} tail.rising.column = TIMESTAMP table = P17-Audit dbx8126:ERROR:Scheduler - Error while reloading database input=dbmon-tail://AMIS/PT11-Audit com.splunk.config.SplunkConfigurationException: Error instantiating output format kv: java.lang.IllegalArgumentException: Illegal pattern character 'I' at com.splunk.dbx.monitor.output.OutputFormatFactory.createOutputFormat(OutputFormatFactory.java:62) at com.splunk.dbx.monitor.DatabaseMonitor.&lt;init&gt;(DatabaseMonitor.java:137) at com.splunk.dbx.monitor.scheduler.Scheduler.loadDatabaseMonitor(Scheduler.java:216) at com.splunk.dbx.monitor.scheduler.Scheduler.reloadDatabaseMonitor(Scheduler.java:196) at com.splunk.dbx.monitor.DatabaseMonitoringManager$Reloader.run(DatabaseMonitoringManager.java:133) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(Unknown Source) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.IllegalArgumentException: Illegal pattern character 'I' at java.text.SimpleDateFormat.compile(Unknown Source) at java.text.SimpleDateFormat.initialize(Unknown Source) at java.text.SimpleDateFormat.&lt;init&gt;(Unknown Source) at java.text.SimpleDateFormat.&lt;init&gt;(Unknown Source) at com.splunk.dbx.monitor.output.impl.BaseOutputFormat.&lt;init&gt;(BaseOutputFormat.java:36) at com.splunk.dbx.monitor.output.impl.SingleLineFormat.&lt;init&gt;(SingleLineFormat.java:11) at com.splunk.dbx.monitor.output.impl.KeyValueFormat.&lt;init&gt;(KeyValueFormat.java:20) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at com.splunk.util.Utils$Reflection.instantiate(Utils.java:880) at com.splunk.util.Utils$Reflection.instantiate(Utils.java:898) at com.splunk.dbx.monitor.output.OutputFormatFactory.createOutputFormat(OutputFormatFactory.java:58) </CODE></PRE> Wed, 16 Jul 2014 16:13:09 GMT https://community.splunk.com/t5/Security/Why-tail-monitor-configuration-receiving-dbconnect-error-Illegal/m-p/145519#M14596 barrymcintosh 2014-07-16T16:13:09Z Re: Why tail monitor configuration receiving dbconnect error Illegal pattern character "I" https://community.splunk.com/t5/Security/Why-tail-monitor-configuration-receiving-dbconnect-error-Illegal/m-p/145520#M14597 <P><CODE>output.timestamp.format</CODE> needs to expressed as a Java SimpleDateFormat pattern, not a SQL date format. So your setting should be:</P> <PRE><CODE>output.timestamp.format = yyyy-MM-dd HH:mm:ss </CODE></PRE> Wed, 16 Jul 2014 17:28:14 GMT https://community.splunk.com/t5/Security/Why-tail-monitor-configuration-receiving-dbconnect-error-Illegal/m-p/145520#M14597 gkanapathy 2014-07-16T17:28:14Z