Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bad timestamps in DB Connect query results

Karunamon
Explorer
‎04-18-2013 09:45 AM

I am running a query via a created dashboard on one of my production databases. I defined this in the DB Connect app, and I am not actually indexing the contents of the database.

One of my searches on this dashboard is:

| dbquery Prod1 "select * from source where guid='$GUID$'"

This query works and returns valid data for all fields except any time stamps. Instead of a readable timestamp, I just get a string of numbers like: 1349484107.000 (I assume this is an epoch date)

The fields in question on the database are of type DATETIME and some TIMESTAMP, and when running this query with the standard command line MySQL, proper dates are returned.

How do I correct the display format of these fields without indexing the data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎04-18-2013 10:15 AM

you can use the convert command to convert epoch to a human readabletimestamp

| dbquery Prod1 "select * from source where guid='$GUID$'" | convert timeformat="%Y:%m:%d% H:%M:%S" ctime(FIELD_WITH_EPOCH) AS c_time

View solution in original post

Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎04-18-2013 10:15 AM

you can use the convert command to convert epoch to a human readabletimestamp

| dbquery Prod1 "select * from source where guid='$GUID$'" | convert timeformat="%Y:%m:%d% H:%M:%S" ctime(FIELD_WITH_EPOCH) AS c_time

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-06-2013 10:14 AM

You can use a calculated field (EVAL- in props.conf) to convert your fields to something pretty-printed.

0 Karma
Reply
Solved! Jump to solution

cramasta
Builder
‎04-18-2013 10:29 AM

I dont think dbconnect app has a way of being told what fields are timestamps other than what is used to create the index time of the data.

You will probably either have to do it with the convert command or you can possible do it within the sql query itself

Example I stole from the web

SELECT DATE_FORMAT(FROM_UNIXTIME(date_col), '%e %b %Y') AS date_formatted . . .

Reply
Solved! Jump to solution

Karunamon
Explorer
‎04-18-2013 10:18 AM

Okay, that definitely works, but it's going to make for some hellaciously ugly search strings considering I have about 7 or 8 different time fields in this query result. Is there a way to have the human readable format be the default for all queries and relevant fields?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...