Deployment Architecture

Splunk DB Connect 1: Why are events from our Oracle database getting indexed with a default timestamp of "31-DEC-1970"?


Hello All,

I have configured Oracle DB with Splunk DB Connect 1, and most of the inputs that I am using are with tail.

I observed that events are applied with default time 31 DEC 1970, and this is causing an issue while indexing.

I have enabled output timestamp with timestamp column as table column name (XYZ) and the timestamp format is dd-MMM-YYYY HH:mm:ss.

Below are the column details:

28-JUN-2016 06:17:27
28-JUN-2016 06:18:19

Kindly correct me if I am missing anything here.

Thanks for your reply!

0 Karma

Splunk Employee
Splunk Employee

I know this doesn't actually answer your question, but I think it's important to note that DBX 1.x is no longer supported in 1 month:

Note: This Add-on will reach the end of its support lifecycle on July 29, 2016. Please see DB Connect v2 at .

Splunk Employee
Splunk Employee

I have done this a couple of different ways in the inputs.conf file within the local directory of the db connect app.

input_timestamp_column_name = RecordTime
to let Splunk handle the conversion automatically

input_timestamp_column_name = WHENGMT

I always have
output_timestamp_format = yyyy-MM-dd HH:mm:ss

It takes some trial an error to get certain data sets to work. I suggest sending the events (records) to a test index that you can delete. Then set the tail_rising_column_checkpoint_value back to 0 to re-import the events. Use the 'All Time' search so you can see future event timestamps in case you have the GMT offset wrong.


What is your query? Have you set $rising_column$ to XYZ?

If this reply helps you, an upvote would be appreciated.
0 Karma



Here is my query:

select * from tablename {{WHERE to_date($rising_column$,'DD-MON-YYYY HH24:MI:SS') > to_date(?,'DD-MON-YYYY HH24:MI:SS')}}

Yes, I have set!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>