Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure indexing of historical data from a database to be based off timestamp in rising column?

ronak
Path Finder
‎12-02-2014 08:27 AM

Setup

  • I've a db table job_run with five different timestamps (TS1 ~ TS5).
  • Total fields in table to be pulled into Splunk are 8.
  • The rising column is TS1 (first column) and is in yyyy-mm-dd hh24:mi:ss format .
  • The remaining TS columns are either EPOCH or yyyy-mm-dd or hh24:mi
  • I've specified TS1 as timestamp column in DB Input form where I define the db input with all the details

Need

What I'm trying to achieve is,

  1. Incremental pull happens based on rising column TS1
  2. When data is indexed, the column TS1 is used for indexing
  3. When I pull historical data, the indexing considers content of TS1 for indexing as opposed to indexing the records at the time of the pull (in which case, entire of historical data gets indexed with pull time as opposed to actual record generation time in database which is indicated by TS1)

Issues I'm facing

  1. When I pull historical data, the index timestamp becomes that of pull time instead of TS1 . Same behavior is observed when incremental runs happen.

The impact of this behavior is that, I cannot do historical pull as searches will not work with time picker. Search will not display the results because search will not find the data for historical duration say last two weeks, as all the historical data is indexes with pull time which is now.

How do I overcome this issue?

0 Karma
Reply

musskopf
Builder
‎12-07-2014 05:14 PM

Hello Ronak,

I'm assuming you're using the DB Connect App, right? If that's the case, have a look on a similar question:

http://answers.splunk.com/answers/183660/db-connect-why-datetime-field-in-mssql-is-imported.html#ans...

It's tailored for MS SQL Server but the idea of configuring the timestamp parsing format is the same for any DB.

Cheers

Reply

musskopf
Builder
‎12-07-2014 05:16 PM

Here another similar answer: http://answers.splunk.com/answers/143775/timestamp-recognition-with-dbconnect-app.html#answer-143903

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...