All Apps and Add-ons

Help setting DB Connect input timestamp using yyyy-MM-dd HH:mm:ss.SSS format

johnward4
Communicator

I'm trying to work with a data input using DB Connect version 3.0 and I cannot get the below input to save using the field alias 'time' that using this format :

2020-03-21 00:11:12.387

Based off this article I added these configurations to my stanza to help DB Connect identify the correct timestamp format :

input_timestamp_format = yyyy-MM-dd HH:mm:ss.SSS
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSS

*The LogEntryId is my rising column and returns as column #1
*The time column/Timestamp returns as column #2

I've also uses the below Answers suggestion to try to resolve the NULL values possible issue :

https://answers.splunk.com/answers/616150/how-to-force-dbconnect-to-send-fields-with-null-va.html

[TestDB_2]
connection = TestDB
description = Test Query
disabled = 0
index = main
interval = */5 * * * *
max_rows = 1000
mode = advanced
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSS
query = SELECT le.LogEntryId AS [LogEntryId]
, [Date] AS [time]
, l.[Name] AS [Level]
, at.Name AS [Application Source]
, le.Logger AS [Logger]
, le.[Message] AS [Message]
, COALESCE(le.FullMessage, 'NA') AS [FullMessage]
, COALESCE(le.Exception, 'NA') AS [Exception]
, COALESCE(le.FullException, 'NA') AS [Full Exception]
FROM "Logging"."dbo"."LogEntry" le
JOIN "Logging"."dbo"."LevelType" l
ON l.LevelTypeId = le.LevelTypeId
JOIN "Logging"."dbo"."ApplicationSourceType" at
ON at.ApplicationSourceTypeId = le.ApplicationSourceTypeId
WHERE le.LogEntryId > '?'
AND le.LevelTypeId IN (3,4,5) -- WARN, ERROR, FATAL
AND at.[Name] != 'developer.example.com'
ORDER BY le.LogEntryId DESC;
sourcetype = Test
tail_rising_column_number = 1
input_timestamp_column_number = 2
input_timestamp_format = yyyy-MM-dd HH:mm:ss.SSS
index_time_mode = dbColumn

0 Karma

johnward4
Communicator

alt text
Here's the error I'm getting when trying to save the data input configuration even though I can return events when executing the query

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...