Solved: Re: Compare data row count in Splunk Vs SQL server

MittalKamal · ‎11-25-2020

Hi,

I am fetching data for Splunk from Sql database. I found some of the rows are missing..

I am checking it for complete day with below splunk query

index="myavista_events" sourcetype="myavista:sitecore:sqldb" | stats count

and for the same period I am checking it SQL with sql query and found lots of diff in count.. In SQL data count is more as compare to Splunk.. SO some data is missing in Splunk.

I am fetching the data at every 5 min interval from DB.. And I tried to check the count in each fetch with below Splunk query..

index=_internal ServerName "format_hec_success_count"

This is giving count like format_hec_success_count=3365

But this number is also not matching with sql query for same timespan..

Please suggest how can I get the complete sql data in splunk...

MittalKamal · ‎01-07-2021

@thambisetty

I found the solution for it.. There should be integer incremented value for rising column that Spunk understand properly..

I also changed the rising column to it Id (int incremented value in DB) instead of datetime and its working fine..

View solution in original post

MittalKamal · ‎12-08-2020

@thambisetty

Sorry for late reply..

Rising column is eventDateTime

No, events are not overridden in DB

thambisetty · ‎11-26-2020

@MittalKamal

what is your rising column?

are events overwritten in 5 minutes in DB?

————————————
If this helps, give a like below.

MittalKamal · ‎01-07-2021

@thambisetty

I found the solution for it.. There should be integer incremented value for rising column that Spunk understand properly..

I also changed the rising column to it Id (int incremented value in DB) instead of datetime and its working fine..

Compare data row count in Splunk Vs SQL server

splunkd

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!