SQL Server Data Onboarding thru DBConnect - Timest...

rajim · ‎08-03-2018

I have a SQL Server table that needs to be onboarded into Splunk using DBConnect app. I have onboarded that. But right now I am facing a problem in timestamp shifting.

In my table there are three timestamp column. I am using one of the column as rising column as well as the timestamp for the event. Whenever the data is indexed, all three fields have same timestamp as it is present in the table. But _time is shifting by 4 hours than it's original field time. They should be same. Below is one such example:

Three timestamp fields: field1, field2 and field3.
Rising Column and Event timestamp field: field3
Sample values in DB table:
field1= 2018-08-02 08:22:10.0
field2=2018-08-02 07:45:39.0
field3=2018-08-03 06:45:39.0

After onboarding into Splunk, the values are like below:
field1= 2018-08-02 08:22:10.0
field2=2018-08-02 07:45:39.0
field3=2018-08-03 06:45:39.0
_time=2018-08-03T10:45:39.000+00:00

These two times (field3 and _time ) should be same. But _time is shifting by 4 hours. Could someone please look into this and let me know how to fix this?

akocak · ‎08-03-2018

Rajim,
Easy solution would be adding to props.conf under your sourcetype for database input: (value would be -4 hours from current timezone)
TZ=
Good practice in general with db inputs is to convert time to EPOCH in your SQL query and use this incremental field as raising column. This would give you advantage to use only
TZ=UTC
in your props.conf as well.

SQL Server Data Onboarding thru DBConnect - Timestamp shifting issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation