All Apps and Add-ons

db connect 2 input: java date timestamp adding extra month

suarezry
Builder

I'm using db connect 2 v2.0.6 on splunk enterprise v6.3.0 to connect to oracle dB v11.2.0.4. Here's my inputs.conf:


[rpcstart://default]
javahome = /usr/lib/jvm/java-8-oracle
useSSL = 0
proc_pid = 21777

[mi_input://my_table]
connection = myDB
index = main
input_timestamp_column_name = USAGE_DATE
input_timestamp_column_number = 44
interval = 60
max_rows = 1000
mode = tail
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = SELECT COLOR_PAGES_ESTIMATED, PRINTER_ID, HARDWARE_CHECK_ID, REFUND_STATUS, DUPLEX, DUPLEX_PAGES, USED_BY_USER_ID, USAGE_COST, JOB_TYPE, REFUNDED, DOCUMENT_NAME, CANCELLED, DENIED_REASON, JOB_ID, REPLAYED, ORIGINAL_USAGE_COST, SIGNATURE, USAGE_ALLOWED, ARCHIVE_PATH, ORIGINAL_PRINTER_ID, DOCUMENT_SIZE_KB, PAPER_HEIGHT_MM, TOTAL_SHEETS, JOB_COMMENT, TOTAL_COLOR_PAGES, PRINTED, TO_CHAR(USAGE_DAY,'YYYY-MM-DD HH24:MI:SS') "USAGE_DAY", HARDWARE_CHECK_STATUS, CLIENT_MACHINE, TOTAL_PAGES, CHARGED_TO_ACCOUNT_ID, JOB_UID, COPIES, PRINTER_USAGE_LOG_ID, INVOICED, REFUND_REQUEST_ID, OFFLINE_USAGE, PROTOCOL, PRINTER_LANGUAGE, PAPER_WIDTH_MM, PAPER_SIZE, GRAY_SCALE, ASSOC_WITH_ACCOUNT_ID, TO_CHAR(USAGE_DATE,'YYYY-MM-DD HH24:MI:SS') "USAGE_DATE" FROM "PAPERCUT"."TBL_PRINTER_USAGE_LOG"
source = mydb
sourcetype = printing
tail_follow_only = 1
tail_rising_column_name = PRINTER_USAGE_LOG_ID
tail_rising_column_number = 37
ui_query_catalog = NULL
ui_query_mode = advanced
ui_query_schema = PAPERCUT
ui_query_table = TBL_PRINTER_USAGE_LOG
tail_rising_column_checkpoint_value = 7944782
disabled = 1
input_timestamp_format = YYYY-MM-dd HH:mm:ss


The problem is splunk has incorrectly parsed the timestamp to ADD an extra month. See attached screenshot, the month should be November not December:

alt text

How do I get splunk to parse the timestamp correctly?

0 Karma
1 Solution

marcusnilssonmr
Path Finder

Try yyyy instead of YYYY. The fomat YYYY is weakyear, which can give weird results.

View solution in original post

marcusnilssonmr
Path Finder

Try yyyy instead of YYYY. The fomat YYYY is weakyear, which can give weird results.

suarezry
Builder

This works. Thanks!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...