All Apps and Add-ons

Regex Question for Database Field Extraction

cjs1031
Explorer

I am using DB connect and my customer has a need for an alert setup that runs the search string and looks to see if there are any new records in the table, if so, send an e-mail with all the details. Here is what I am running into. If I tell the string to search for time stamps is just uses the Splunk time stamp and not the create date and time of the actual record. This in turn causes this alert to check, see there are entries and shoots an email with every entry, even old ones. I think I need to change my string to find the latest set using a field called "create_date" however I am not sure how I would make this work. Maybe regex? I need some expertise on this. Example below.
create_date="2017-03-14 18:47:58.623"

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

0 Karma

cjs1031
Explorer

Can you clarify this?
"The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem." It sounds like you know what I need to do however I am such a novice I am not fully understanding.

0 Karma

cjs1031
Explorer

Thanks! That did it!

0 Karma

Richfez
SplunkTrust
SplunkTrust

Sure.

When you create the DB Connect input (or when you edit it) there is a whole section of the input building that involves picking the timestamp column. Here's the section in the docs for that. Making sure that's set correctly so that Splunk uses the right column as the timestamp column will solve all the problems you've mentioned.

If you need more help with that, you'll have to be more specific about DB type, what sort of input is set up and so on.

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...