Im upgrading my DB Connect to 3.0.2 from 2.4.0, but the assigned sourcetype for the data isnt picking up the timezone designation in props.conf. During the effort, I'm also trying to switch from applying timezone by source and instead assign by sourcetype.
The database is plain MS SQL with a datetime column type. The timestamp output is default. Everything is working except the timestamp isnt being picked up as UTC.
My old props.conf on the Splunk instance running DB Connect:
[source::dbx_sourcename] TZ = UTC
My new props.conf on the Splunk instance running DB Connect:
[name_of_sourcetype] TZ = UTC
But whenever the data is searched, its displayed in the UI as the UTC.
This is a known issue with DBConnect 3 (DBX-4019,DBX-4021).
The workaround that I have found is to change the value of the timestamp in the SQL query.
For example (SQL):
(SELECT *, dateadd(hh, 1, OriginalTimestamp) NewTimestamp FROM Table
The 'dateadd()' function is in the following format:
dateadd(<time unit to modify>, <modify by value>, <timestamp to modify>), <new timestap name>
Then change the date field to NewTimestamp in DBConnect. The above example adds one hour to the time field on a UTC source where Splunk is assuming it is in BST.
Just remember to:
A. Change everything back when the issue has been fixed.
B. Ensure that the new field does not conflict with any existing extractions you have.
Hope this helps.
I believe this is a known issue with DB Connect 3.0.2 (DBX-4019,DBX-4021), as we have the same issue with some of the data sources we have, in the meantime we've had to make time adjustments either within the searches or in some cases within the SQL query of the data source