https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306605#M36626 <P>The best workaround I have for that is to just write an eval after I bring in my dbxquery. <CODE>|eval CREATED=strptime(CREATED,"%Y-%m-%d %H:%M:%S.%3N")</CODE></P> <P>you could also use convert. <CODE>|convert mktime(CREATED) timeformat="%Y-%m-%d %H:%M:%S.%3N"</CODE><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Convert">https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Convert</A><BR /> There might be another way, but that's what I do.</P> Mon, 22 May 2017 15:48:39 GMT cmerriman 2017-05-22T15:48:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306604#M36625 <P>Hello!<BR /> I used Splunk DB Connect v1 and now I updated it to Splunk DB Connect v3. I get data from oracle sql.<BR /> I have several TIMESTAMP type columns that in version 1 were saved in the epoch format, but in version 3 they are stored in human readable format.</P> <P>Example (CREATED is TIMESTAMP type):</P> <PRE><CODE>Version 1: CREATED = 1495450599.159 Version 3: CREATED = 2017-05-22 13:56:39.159 </CODE></PRE> <P>How to make so that in version 3 TIMESTAMP type was in epoch format?</P> Mon, 22 May 2017 14:21:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306604#M36625 BigCosta 2017-05-22T14:21:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306605#M36626 <P>The best workaround I have for that is to just write an eval after I bring in my dbxquery. <CODE>|eval CREATED=strptime(CREATED,"%Y-%m-%d %H:%M:%S.%3N")</CODE></P> <P>you could also use convert. <CODE>|convert mktime(CREATED) timeformat="%Y-%m-%d %H:%M:%S.%3N"</CODE><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Convert">https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Convert</A><BR /> There might be another way, but that's what I do.</P> Mon, 22 May 2017 15:48:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306605#M36626 cmerriman 2017-05-22T15:48:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306606#M36627 <P>Thanks for the quick response!<BR /> I need to be in the index TIMESTAMP was in epoch.<BR /> I already have an old index in which TIMESTAMP is in epoch and there are complex searches and applications that use epoch. In my situation, the use of this workaround is very difficult.</P> Tue, 23 May 2017 02:37:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306606#M36627 BigCosta 2017-05-23T02:37:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306607#M36628 <P>add this into your SQL statement:</P> <PRE><CODE>trunc((CREATED-TO_DATE('01-01-1970','MM-DD-YYYY')) * 86400) as indexTime </CODE></PRE> Tue, 23 May 2017 11:42:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306607#M36628 cmerriman 2017-05-23T11:42:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306608#M36629 <P>After adding, I get an error:</P> <PRE><CODE>SQLSyntaxErrorException: ORA-00932: inconsistent datatypes: expected NUMBER got INTERVAL DAY TO SECOND </CODE></PRE> <P>Here it works without error:</P> <PRE><CODE>(trunc(CREATED) - TO_DATE('01-01-1970', 'MM-DD-YYYY')) * 86400 as indexTime </CODE></PRE> <P>BUT time is rounded to one day. This is unacceptable to me. I need original accuracy.<BR /> In fact, DB Connect v3 converts a TIMESTAMP type to a DATATIME type.</P> <P>Can I make DB Connect v3 not do this with TIMESTAMP types, but just keep it in the form in which it is shown in oracle (1495450599.159)?</P> Wed, 24 May 2017 04:26:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306608#M36629 BigCosta 2017-05-24T04:26:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306609#M36630 <P>I found a workaround for the problem. <BR /> I changed the SQL query</P> <PRE><CODE>round((cast(CREATED as date)-to_date('01011970','MMDDYYYY'))*86400)||'.'||to_char(CREATED, 'FF') as CREATED_EPOCH </CODE></PRE> Mon, 05 Jun 2017 10:32:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306609#M36630 BigCosta 2017-06-05T10:32:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306610#M36631 <P>If your problem is resolved, please accept an answer to help future readers.</P> Mon, 05 Jun 2017 12:38:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306610#M36631 richgalloway 2017-06-05T12:38:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306611#M36632 <P>This worked for me:</P> <P>trunc((extract(day from (CREATED - to_date('01-JAN-1970','DD-MON-YYYY')))*86400+extract(hour from CREATED)*3600+extract(minute from CREATED)*60+extract(second from CREATED))) as indexTime,</P> Tue, 29 Sep 2020 19:10:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-DB-Connect-How-to-save-TIMESTAMP-type-fields-in-Epoch/m-p/306611#M36632 bjbrake 2020-09-29T19:10:22Z