All Apps and Add-ons

Oracle audit unified template SQL query not working for rising column

mayurr98
Super Champion

Hello

I am trying to get oracle unified logs into Splunk using Splunk DB connect and Oracle Add-on for Splunk.
oracle:audit:unified has default template with sql query :

SELECT *
FROM 
    (SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,u.*
    FROM UNIFIED_AUDIT_TRAIL u)
WHERE EVENT_TIMESTAMP_UTC > ?
ORDER BY  EVENT_TIMESTAMP_UTC ASC 

But it's giving java.sql.SQLException: ORA-12801: error signaled in parallel query server PPA7, instance -- (2) ORA-01843: not a valid month

I tried changing checkpoint value multiple times but its giving same error.

I get results when I run

SELECT *
FROM 
    (SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,u.*
    FROM UNIFIED_AUDIT_TRAIL u)
WHERE EVENT_TIMESTAMP_UTC > ?

but when I am adding order by its giving error. I am not sure if its a bug or I am doing something wrong.

0 Karma

arimaldo
Explorer

I have the same exact problem and I have been unsuccessful in finding a fix.  The unified audit was working with the Oracle queries until a few months back and then it stopped completing successfully (query times out). I even tried increasing the timeout to 3600 seconds and it still failed. Not sure what changed and/or if it's a bug with DBX or with Oracle 12 or both.

0 Karma

arun_kant_sharm
Path Finder

Hi @mayurr98 ,

i am also facing same error, do you get its solution?

0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...