Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What sourcetype should be used input MySQL data

ti786
Explorer
‎12-03-2013 04:27 AM

I am using the DB Connect app to connect to a MYSQL database and input the data from a table.

What sourcetype should I use for MySQL data in the Database Input:

  1. dbmon:kv
  2. dbmon:mkv
  3. or some other?

Also the datetime fields in the MySQL data like "2013-09-24 21:31:13" appear as "1385819882.000" in Splunk - is this format to do with the sourcetype and how can I get Splunk to keep the original format?

0 Karma
Reply

lukejadamec
Super Champion
‎12-03-2013 11:16 AM

Can you post the splunk\etc\apps\dbx\local\inputs.conf stanza for this MySQL input?

To view the raw data in Splunk you run a search that pulls the data from this input and then table it to _raw

search for MySQL data | table _raw

0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:57 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:55 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2013 09:04 AM

You'll probably get good results with KV. Experiment in a separate index until you get the results you want.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2013 12:58 PM

If you click on the DB Query button in the DB Connect app you can enter a query and see what would be indexed.

To get the datetime format you want, use CONVERT(datetime, column, 120).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:58 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...