Solved: Regex Question for Database Field Extraction

cjs1031 · ‎03-14-2017

I am using DB connect and my customer has a need for an alert setup that runs the search string and looks to see if there are any new records in the table, if so, send an e-mail with all the details. Here is what I am running into. If I tell the string to search for time stamps is just uses the Splunk time stamp and not the create date and time of the actual record. This in turn causes this alert to check, see there are entries and shoots an email with every entry, even old ones. I think I need to change my string to find the latest set using a field called "create_date" however I am not sure how I would make this work. Maybe regex? I need some expertise on this. Example below.
create_date="2017-03-14 18:47:58.623"

Richfez · ‎03-14-2017

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

View solution in original post

Richfez · ‎03-14-2017

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

cjs1031 · ‎03-15-2017

Can you clarify this?
"The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem." It sounds like you know what I need to do however I am such a novice I am not fully understanding.

cjs1031 · ‎03-16-2017

Thanks! That did it!

Richfez · ‎03-15-2017

Sure.

When you create the DB Connect input (or when you edit it) there is a whole section of the input building that involves picking the timestamp column. Here's the section in the docs for that. Making sure that's set correctly so that Splunk uses the right column as the timestamp column will solve all the problems you've mentioned.

If you need more help with that, you'll have to be more specific about DB type, what sort of input is set up and so on.

Regex Question for Database Field Extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!