Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What sourcetype should be used input MySQL data

ti786
Explorer
‎12-03-2013 04:27 AM

I am using the DB Connect app to connect to a MYSQL database and input the data from a table.

What sourcetype should I use for MySQL data in the Database Input:

  1. dbmon:kv
  2. dbmon:mkv
  3. or some other?

Also the datetime fields in the MySQL data like "2013-09-24 21:31:13" appear as "1385819882.000" in Splunk - is this format to do with the sourcetype and how can I get Splunk to keep the original format?

0 Karma
Reply

lukejadamec
Super Champion
‎12-03-2013 11:16 AM

Can you post the splunk\etc\apps\dbx\local\inputs.conf stanza for this MySQL input?

To view the raw data in Splunk you run a search that pulls the data from this input and then table it to _raw

search for MySQL data | table _raw

0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:57 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:55 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2013 09:04 AM

You'll probably get good results with KV. Experiment in a separate index until you get the results you want.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2013 12:58 PM

If you click on the DB Query button in the DB Connect app you can enter a query and see what would be indexed.

To get the datetime format you want, use CONVERT(datetime, column, 120).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ti786
Explorer
‎12-03-2013 10:58 AM

Is it possible to view the rawdata in Splunk that is returned by a MySQL query run from Splunk?

The MySQL data has some datetime fields like "2013-09-24 21:31:13", but these appear as "1385819882.000" in Splunk - how can I get Splunk to keep the original datetime format?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Top