https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108576#M183482 <P>The reason is because the ctime extraction is being used at index time only for the event time.</P> <P>You need to configure Splunk to recognize other time fields as time, because otherwise Spunk just assumes you want the number.</P> <P>An example of a search time field extraction for epoch time is:<BR /> search <SOME search=""> | convert timeformat="%H:%M:%S" ctime(scheduled) AS ScheduledTime |</SOME></P> <P>I've never actually tried this, but it should work according to the documentation.<BR /> Documentation/Splunk/5.0.3/SearchReference/Convert</P> Mon, 29 Jul 2013 14:45:12 GMT lukejadamec 2013-07-29T14:45:12Z https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108575#M183481 <P>Hello experts,</P> <P>I am using DB Connect to pull in data from a MySQL database table. The tail works and the field i set to be the timestamp works as expected.</P> <P>the issue comes from other fields that are set to MySQL DATETIME field type. When these are imported Splunk they are turning up in this format "updated_at=1375083603.000" apposed to "2013-03-07 00:06:00" in the database (DATETIME) field type.</P> <P>I am at a loss of what is going on here, I added in the datetime formatting for the output section of the DB connect but think that only works for the timestamp which works ok.</P> <P>below is a copy on an event with private data removed, as you can see the scheduled and updated_at fields are DATETIME within MySQL...</P> <P><CODE>2013-07-29T08:35:02.000<BR /> id=5260<BR /> item=xxxxxxx<BR /> status=finished<BR /> metadata=xxxxxxxxx<BR /> schedule_type=scheduled<BR /> scheduled=1375086900.000<BR /> no_reboot=true<BR /> deleted_on=<BR /> deleted_status=<BR /> updated_at=1375083603.000<BR /> number=xxxx<BR /> name=xxxxxx<BR /> label=xxxxxx</CODE></P> <P>Where would I be going wrong, any tips or guidance would be muchly received.</P> <P>Cheers</P> Mon, 29 Jul 2013 11:26:21 GMT https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108575#M183481 jamesmonico 2013-07-29T11:26:21Z https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108576#M183482 <P>The reason is because the ctime extraction is being used at index time only for the event time.</P> <P>You need to configure Splunk to recognize other time fields as time, because otherwise Spunk just assumes you want the number.</P> <P>An example of a search time field extraction for epoch time is:<BR /> search <SOME search=""> | convert timeformat="%H:%M:%S" ctime(scheduled) AS ScheduledTime |</SOME></P> <P>I've never actually tried this, but it should work according to the documentation.<BR /> Documentation/Splunk/5.0.3/SearchReference/Convert</P> Mon, 29 Jul 2013 14:45:12 GMT https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108576#M183482 lukejadamec 2013-07-29T14:45:12Z https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108577#M183483 <P>Another possibility is to use a database function during your original query to convert the DATETIME data type into a character string format that Splunk will recognize as a time. In Oracle I use the <CODE>"to_char"</CODE> function something like this:</P> <P><CODE>select to_char(scheduled,'YYYY-MM-DD HH24:MI:SS') scheduledtime from table;</CODE></P> <P>I'm assuming that MySQL would have something similar.</P> Wed, 31 Jul 2013 16:40:17 GMT https://community.splunk.com/t5/Splunk-Search/db-connect-datetime-fields-not-timestamp/m-p/108577#M183483 pmdba 2013-07-31T16:40:17Z