I am using DB Connect app to get data from a Oracle DB. Everything works fine, but when it runs this query it says no results are generated. But this query does have data in the DB. Is there something wrong with my config? Do I need to add anything else to this config? Also if I don't use sourcetype, then where does it dump the csv? Default index I guess, am I right?
interval = 60000
query = select * from (select cluster_name,count(pk_id) from ccadmin.uc_phone where tk_model = 503 group by cluster_name) order by cluster_name
table = ccadmin.uc_phone
output.format = csv
sourcetype = sucstdb
output.fields = cluster_name count(pk_id)
output.timestamp = true
output.timestamp.column = RECORD_INSERTED
output.timestamp.parse.format = %s
Update : Got this error dbx5894:ERROR:DumpDatabaseMonitor - Error while executing database monitor: java.lang.NullPointerException
Update2: Made changes to inputs with output time in configs.. No change yet.
I noticed that your timestamp column isn't actually included in your query; If you want Splunk to insert a timestamp, then you don't need to specify a column name at all. If you want your timestamp to come from the database query, then the output.timestamp should be "false".
Also, the output.timestamp.parse.format of "%s" is not a recognized format (they're looking for a DB date/time format filter, not a printf specification), and your are missing the output.timestamp.format parameter completely.
Finally, there is no need to wrap a query within a query in your syntax. You would be fine with the following (assuming the "record_inserted" date is being provided by Splunk):
where tk_model = 502
group by cluster_name
order by cluster_name
If you need to select the date from the database, then make sure that column is first in the result set, and format it like this if the column is part of the source table: