Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Compare data row count in Splunk Vs SQL server

MittalKamal
Explorer
‎11-25-2020 02:31 PM

Hi,

I am fetching data for Splunk from Sql database. I found some of the rows are missing..

I am checking it for complete day with below splunk query

index="myavista_events" sourcetype="myavista:sitecore:sqldb" | stats count

and for the same period I am checking it SQL with sql query and found lots of diff in count.. In SQL data count is more as compare to Splunk.. SO some data is missing in Splunk.

 

I am fetching the data at every 5 min interval from DB.. And I tried to check the count in each fetch with below Splunk query..

index=_internal ServerName "format_hec_success_count" 

This is giving count like format_hec_success_count=3365 

But this number is also not matching with sql query for same timespan..

Please suggest how can I get the complete sql data in splunk...

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

MittalKamal
Explorer
‎01-07-2021 01:23 PM

@thambisetty 

I found the solution for it.. There should be integer incremented value for rising column that Spunk understand properly..

I also changed the rising column to it Id (int incremented value in DB) instead of datetime and its working fine..

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MittalKamal
Explorer
‎12-08-2020 01:25 PM

@thambisetty 

Sorry for late reply..

Rising column is eventDateTime

No, events are not overridden in DB

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎11-26-2020 02:59 AM

@MittalKamal 

what is your rising column?

are events overwritten in 5 minutes in DB?

 

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution
Solution

MittalKamal
Explorer
‎01-07-2021 01:23 PM

@thambisetty 

I found the solution for it.. There should be integer incremented value for rising column that Spunk understand properly..

I also changed the rising column to it Id (int incremented value in DB) instead of datetime and its working fine..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...