I am working with the Splunk DB Connect app and always have the same problem.
When I run the query in the preview page, I get the timestamp column in epoch time (I don't know why) with 13 digits.
When you want to create new DB input, you need to fill some parameters and one of them is rising column (if its tail query).
I chose this column for rising column and also for the timestamp column. I need to choose between Epoch Time to Java Date.
Since the data viewed like epoch time, I choose epoch time and then in the last parameter choose Output Timestamp format as
My OracleDB with column called: Creation_Date
Rising Column: Creation_Date
Timestamp Column: Creation_Date ; Epoch TIme
Output Timestamp Format: YYYY-MM-dd HH:mm:ss
My Oracle DB: Splunk:
1. Splunk doesn't recognize this time as _time
2. If I tried to manually force _time to get this time with
|eval Creation_Date=strfime(Creation_Date,"%F %T") | _time=strptime(Creation_Date,"%F %T"), this is doesn't work and the _time is not correct.
3. Splunk 13 digits number is not exactly Epoch time (Epoch is 10 digits: the number of seconds from 1.1.1970) - it gives the time in milliseconds. Maybe because of this, Splunk cannot convert it back to _time.
I will be happy to hear how to handle with those cases.