Deployment Architecture

Splunk DB Connect 1: Why are events from our Oracle database getting indexed with a default timestamp of "31-DEC-1970"?

bharathkumarnec
Communicator

Hello All,

I have configured Oracle DB with Splunk DB Connect 1, and most of the inputs that I am using are with tail.

I observed that events are applied with default time 31 DEC 1970, and this is causing an issue while indexing.

I have enabled output timestamp with timestamp column as table column name (XYZ) and the timestamp format is dd-MMM-YYYY HH:mm:ss.

Below are the column details:

XYZ
28-JUN-2016 06:17:27
28-JUN-2016 06:18:19

Kindly correct me if I am missing anything here.

Thanks for your reply!

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

I know this doesn't actually answer your question, but I think it's important to note that DBX 1.x is no longer supported in 1 month:

https://splunkbase.splunk.com/app/958/

Note: This Add-on will reach the end of its support lifecycle on July 29, 2016. Please see DB Connect v2 at https://splunkbase.splunk.com/app/2686/ .

kbrown_splunk
Splunk Employee
Splunk Employee

I have done this a couple of different ways in the inputs.conf file within the local directory of the db connect app.

input_timestamp_column_name = RecordTime
input_timestamp_format=
to let Splunk handle the conversion automatically

also
input_timestamp_column_name = WHENGMT
input_timestamp_format=yyyyMMddHHmmss

I always have
output_timestamp_format = yyyy-MM-dd HH:mm:ss

It takes some trial an error to get certain data sets to work. I suggest sending the events (records) to a test index that you can delete. Then set the tail_rising_column_checkpoint_value back to 0 to re-import the events. Use the 'All Time' search so you can see future event timestamps in case you have the GMT offset wrong.

richgalloway
SplunkTrust
SplunkTrust

What is your query? Have you set $rising_column$ to XYZ?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

bharathkumarnec
Communicator

Hi,

Here is my query:

select * from tablename {{WHERE to_date($rising_column$,'DD-MON-YYYY HH24:MI:SS') > to_date(?,'DD-MON-YYYY HH24:MI:SS')}}

Yes, I have set!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>