All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

is there a rising column equivalent for DB Connect V2 Output?

peterweinstein
Explorer
‎06-02-2015 11:33 AM

Hi,

I need to transfer Splunk extracts to Sql Server such that every record is written to Sql Server exactly one time. It doesn't need to be real time, for example, an hourly periodicity would be fine.

Currently, I am repeating the output every hour, and searching for the previous hour. This works but it is fragile and, given that Splunk may be down at times, the data saved to the database is incomplete.

We need the equivalent of a "rising column" -- Splunk should output all new records.

In SQL, I would select all records with a timestamp greater than the MAX of the previously written data.

What is the recommended approach using DB Connect V2?

Thanks,
Peter

Tags (1)
0 Karma
Reply

cramasta
Builder
‎07-09-2015 07:31 AM

Sounds like what you are looking for is the equivalent of the backfill command which is exists for summary indexing.

However that doesn't cover you in situations when in a distributed environment and you have a single indexer down for a period of time. During that time you will be exporting partial results and Splunk just continues on as if everything's all good. The only App that splunk has which deals with this type of failure is the hadoop connect app. When it runs a search to export it will not write out the data to hadoop unless all indexers are up. If even one indexer is down is reruns the search until ALL indexers are up. I really wish Splunk incorporated type of check into more of their Apps/Scheduler.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎06-06-2015 03:01 PM

In Splunk, the equivalent would be the earliest search command. http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/SearchTimeModifiers

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...