Splunk Dev

SQL Server Data Onboarding thru DBConnect - Timestamp shifting issue

rajim
Path Finder

I have a SQL Server table that needs to be onboarded into Splunk using DBConnect app. I have onboarded that. But right now I am facing a problem in timestamp shifting.

In my table there are three timestamp column. I am using one of the column as rising column as well as the timestamp for the event. Whenever the data is indexed, all three fields have same timestamp as it is present in the table. But _time is shifting by 4 hours than it's original field time. They should be same. Below is one such example:

Three timestamp fields: field1, field2 and field3.
Rising Column and Event timestamp field: field3
Sample values in DB table:
field1= 2018-08-02 08:22:10.0
field2=2018-08-02 07:45:39.0
field3=2018-08-03 06:45:39.0

After onboarding into Splunk, the values are like below:
field1= 2018-08-02 08:22:10.0
field2=2018-08-02 07:45:39.0
field3=2018-08-03 06:45:39.0
_time=2018-08-03T10:45:39.000+00:00

These two times (field3 and _time ) should be same. But _time is shifting by 4 hours. Could someone please look into this and let me know how to fix this?

0 Karma

akocak
Contributor

Rajim,
Easy solution would be adding to props.conf under your sourcetype for database input: (value would be -4 hours from current timezone)
TZ=
Good practice in general with db inputs is to convert time to EPOCH in your SQL query and use this incremental field as raising column. This would give you advantage to use only
TZ=UTC
in your props.conf as well.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...