All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect 3.0.2 Not Honoring Sourcetype in Props.conf

torndorff
Explorer
‎05-01-2017 03:51 PM

Im upgrading my DB Connect to 3.0.2 from 2.4.0, but the assigned sourcetype for the data isnt picking up the timezone designation in props.conf. During the effort, I'm also trying to switch from applying timezone by source and instead assign by sourcetype.

The database is plain MS SQL with a datetime column type. The timestamp output is default. Everything is working except the timestamp isnt being picked up as UTC.

My old props.conf on the Splunk instance running DB Connect:

[source::dbx_sourcename]
TZ = UTC

My new props.conf on the Splunk instance running DB Connect:

[name_of_sourcetype]
TZ = UTC

But whenever the data is searched, its displayed in the UI as the UTC.

0 Karma
Reply

hhGA
Communicator
‎05-02-2017 03:21 AM

Hi,

This is a known issue with DBConnect 3 (DBX-4019,DBX-4021).

The workaround that I have found is to change the value of the timestamp in the SQL query.

For example (SQL):
(SELECT *, dateadd(hh, 1, OriginalTimestamp) NewTimestamp FROM Table

The 'dateadd()' function is in the following format:
dateadd(<time unit to modify>, <modify by value>, <timestamp to modify>), <new timestap name>

Then change the date field to NewTimestamp in DBConnect. The above example adds one hour to the time field on a UTC source where Splunk is assuming it is in BST.

Just remember to:

A. Change everything back when the issue has been fixed.
B. Ensure that the new field does not conflict with any existing extractions you have.

Hope this helps.

Reply

paulbannister
Communicator
‎05-02-2017 03:12 AM

Hi There,

I believe this is a known issue with DB Connect 3.0.2 (DBX-4019,DBX-4021), as we have the same issue with some of the data sources we have, in the meantime we've had to make time adjustments either within the searches or in some cases within the SQL query of the data source

https://docs.splunk.com/Documentation/DBX/3.0.2/ReleaseNotes/Releasenotes

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...