Deployment Architecture

Splunk DB Connect 1: Why are events from our Oracle database getting indexed with a default timestamp of "31-DEC-1970"?

bharathkumarnec
Contributor

Hello All,

I have configured Oracle DB with Splunk DB Connect 1, and most of the inputs that I am using are with tail.

I observed that events are applied with default time 31 DEC 1970, and this is causing an issue while indexing.

I have enabled output timestamp with timestamp column as table column name (XYZ) and the timestamp format is dd-MMM-YYYY HH:mm:ss.

Below are the column details:

XYZ
28-JUN-2016 06:17:27
28-JUN-2016 06:18:19

Kindly correct me if I am missing anything here.

Thanks for your reply!

0 Karma

tmuth_splunk
Splunk Employee
Splunk Employee

I know this doesn't actually answer your question, but I think it's important to note that DBX 1.x is no longer supported in 1 month:

https://splunkbase.splunk.com/app/958/

Note: This Add-on will reach the end of its support lifecycle on July 29, 2016. Please see DB Connect v2 at https://splunkbase.splunk.com/app/2686/ .

kbrown_splunk
Splunk Employee
Splunk Employee

I have done this a couple of different ways in the inputs.conf file within the local directory of the db connect app.

input_timestamp_column_name = RecordTime
input_timestamp_format=
to let Splunk handle the conversion automatically

also
input_timestamp_column_name = WHENGMT
input_timestamp_format=yyyyMMddHHmmss

I always have
output_timestamp_format = yyyy-MM-dd HH:mm:ss

It takes some trial an error to get certain data sets to work. I suggest sending the events (records) to a test index that you can delete. Then set the tail_rising_column_checkpoint_value back to 0 to re-import the events. Use the 'All Time' search so you can see future event timestamps in case you have the GMT offset wrong.

richgalloway
SplunkTrust
SplunkTrust

What is your query? Have you set $rising_column$ to XYZ?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bharathkumarnec
Contributor

Hi,

Here is my query:

select * from tablename {{WHERE to_date($rising_column$,'DD-MON-YYYY HH24:MI:SS') > to_date(?,'DD-MON-YYYY HH24:MI:SS')}}

Yes, I have set!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...