Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting two different date values in SQL and Splunk?

gajananh999
Contributor
‎09-22-2014 08:45 AM

Dear All,

I am connecting to the oracle database and i have multiple tables there so i wanted to merge more than two tables and get the data.
I trying to do sql inner join query but its not working for me so what i thought was get all the table data into splunk and merge it in splunk

Sql Query : sql + ROUND((MAX(PRS.END_DATE) - MIN(PRS.START_DATE)) * 3600,2) AS Run_Time_in_Sec + sql

I am getting Run_Time_in_sec as one value.

Splunk Query : search string + stats max(TOTAL) as max_total,max(END_DATE) as max_end_date,min(START_DATE) as min_start_date by ENTERPRISE_ID,RPT_QUEUE_ID | eval Run_Time_in_Sec=(max_end_date-min_start_date)*3600 | table Run_Time_in_sec

Run_Time_in_sec= some value;

Sql Query Run_Time_in_sec is different than splunk query Run_Time_in_sec

Why there is difference in final values

Can anyone tell me here where i am going wrong

0 Karma
Reply

pmdba
Builder
‎09-22-2014 08:16 PM

There does not appear to be any timestamp in your queries. Splunk isn't a relational database - it needs a timestamp in order to index data (it's all about when something happens). Besides the DBX documentation, try the Log File Analysis for Oracle 11g paper for a primer on getting data from Oracle into Splunk. Also check out this post on date formatting when indexing Oracle data into Splunk.

Reply

gajananh999
Contributor
‎09-22-2014 11:51 AM

Can anyone help me out here

0 Karma
Reply

ppablo
Retired
‎09-23-2014 02:03 PM

Hi @gajananh999

Did @pmdba's response answer your question? You upvoted it, but you didn't accept it as an answer by clicking on the "Accept" button below the content of their post. Just want to make sure because this question can be marked as solved (as well as any other of your questions with correct answers that haven't been accepted yet) so other people with the same question can find this post much easier. This will prevent people from asking the same questions over and over again. Plus, you both get karma points 🙂 thanks!

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...