- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- DB Connect not parsing timestamp properly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ir-respective of what timestamp is present in timestamp column of my Oracle DB, the timestamp in the event is replaced to "1970-01-01 00:59:59".
In oracle DB the timestamp column contains data like 2013-09-19T14:31:12
and the configuration in my inputs.conf is
[dbmon-tail://SAMPLE/SPLUNK_USER.SAMPLEINPUT]
host = testhost
interval = * * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = PAYLOADDATE
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
sourcetype = test_st
table = SPLUNK_USER.SAMPLEINPUT
tail.rising.column = PAYLOADDATE
index = default
query = SELECT * FROM SAMPLEINPUT {{WHERE $rising_column$ > ?}}
output.timestamp.format = yyyy-MM-dd HH:mm:ss
Note: PAYLOADDATE column is a varchar2 type
Can you please highlight what i am doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For your output and output parse formats, have you tried:
yyyy-MM-dd'T'HH:mm:ss
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is the column type in your database? have you tried adding a SQL cast or convert to your SQL statement?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For your output and output parse formats, have you tried:
yyyy-MM-dd'T'HH:mm:ss
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
??? When you save the input configuration it should reset the connection and create log entries. If there are no errors, then you should see something like:
INFO:TailDatabaseMonitor - Database monitor - your input - finshed with status=true resultCount=xxx in duration=xxxxms
and
Scheduler - Execution of input= your db input finished in duration=xxx with resultCount=xxx success=true continuemonitoring=true.
But that means it is working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My mistake i used only T changed it to 'T' its working now thnx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there are no errors in dbx logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the error in the dbx log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then nothing gets indexed
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
