Hi,
I am trying to save an oracle query in dbconnect.
SELECT ATOH.LASTUPDATEDTTIME,TRANSACTIONEXECUTIONTS,
(CASE EventSourcecd
WHEN '0012' THEN 'LTS-AccessAllstate'
ELSE ''
End) application_id,
WEBSERVERIPADDRESSNBR as destination ,
'Microsoft-IIS/8.5' as service,
IPADDRESS as source_address ,
NTLOGINID as user_id,
USERSESSIONGUID as interaction_id,
APPLICATIONSERVERNM as destination_host,
(CASE TRANSACTIONCD
WHEN '0037' THEN 'Session_start'
WHEN '0042' THEN 'Session_end'
ELSE 'UserAccess_Changes'
END) event_type ,
C.BUSINESSVALUEDISPLAYED as event_name ,
NTLOGINID as object,
(CASE TASKSTATUSCD
WHEN '0002' THEN 'Successful'
ELSE 'Failure'
END)result,
'info' as severity,
WEBPAGEURLNM as url_path
FROM TZPROD.AUDITTRAILONLINEACTIONHEADER ATOH inner join TZPROD.Codes C ON
ATOH.TRANSACTIONCD= C.CODEINCOMMONCOLLECTION AND C.CODEATTRIBUTEID = 416
WHERE EventSourcecd ='0012' AND ATOH.lastupdatedttime >= Sysdate - interval '15' MINUTE
AND
ATOH.TRANSACTIONCD IN ('0045','0046','0050','0051','0052','0037','0042') {{AND $rising_column$ > ?}}
The rising column is TRANSACTIONEXECUTIONTS.
I am getting all the fields when I check the data in dbquery, but I am not getting both the time fields in splunk search. I haven't used any of the time field in the timestamp column. If I provide a timestamp column, only the other time field comes in splunk and the timestamp field comes as _time, but the actual field name is not present.
Can anyone tell me why is this happening?
Thanks!!