Hello,
I have a doubt regarding time stamp column in db connect inputs,
I have a table in which there are 4 time stamp columns i.e when the firstcasecreatedtime, firstcaseclosedtime, secondcasecreatedtime, secondcaseclosedtime. lets the oldest date I have In firstcasecreatedtime column is 5/16/2006. and if I select that column as time stamp column in db connect input set parameters. how does it match with the other column time stamps. the earliest date I have in secondcaseclosedtime is 7/23/2017.
Thanks
If you select current_index_time, then the all the events will be indexed with the current time (_time), even if the database has the events from the previous years..
Timestamp columns in the table might give an idea what they are..Might be good idea to check with the data owner..Sometimes SMEs of the data might give you better understanding what every field is in the DB. Even if you select one of your time stamp columns as the _time, you will still be able to report on all the other timestamps as well.Mostly you might want the timestamp column when the event/incident first happened/created.
then what is the best way to index this type of data when there are 4 columns in the table with time stamps pls
If you select current_index_time, then the all the events will be indexed with the current time (_time), even if the database has the events from the previous years..
If i Give current index time, will there will be any change in the time for the columns which are imported from the tables. My aim is to don't change the time stamp from the columns.
Splunk won't change the values of the columns in the table as it indexes them, it will set the splunk field _time to the current_index_time.
The time stamp column is the column whose value Splunk will assign to _time. This means that when you select a time range to search in splunk, that's the value it will look for.
You can still search the other columns if you wish, although depending on the data types they may be stored by splunk as text values rather than timestamps. You can use the eval strftime function to convert the time string to a timestamp, which will let you compare times.
The question "how does it match with the other column time stamps" isn't very clear. What is 'it'? What do you mean by match?
If i give one column to for timestamp and the indexer will store the data based on that right, and it will have dates like 2006 something, but about the other columns which have dates like 2010
You can only assign one column as the indexed timestamp or _time field. This also applies to the concept of "rising column". You can still index the other timestamp columns, but the date-time picker in the splunk UI won't filter on those. You'll have to use SPL to filter on the other timestamp columns.
what happens if i give current_index_time in that case i.e when i have 4 timestamp columns ?