Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bad timestamps in DB Connect query results

Karunamon
Explorer
‎04-18-2013 09:45 AM

I am running a query via a created dashboard on one of my production databases. I defined this in the DB Connect app, and I am not actually indexing the contents of the database.

One of my searches on this dashboard is:

| dbquery Prod1 "select * from source where guid='$GUID$'"

This query works and returns valid data for all fields except any time stamps. Instead of a readable timestamp, I just get a string of numbers like: 1349484107.000 (I assume this is an epoch date)

The fields in question on the database are of type DATETIME and some TIMESTAMP, and when running this query with the standard command line MySQL, proper dates are returned.

How do I correct the display format of these fields without indexing the data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎04-18-2013 10:15 AM

you can use the convert command to convert epoch to a human readabletimestamp

| dbquery Prod1 "select * from source where guid='$GUID$'" | convert timeformat="%Y:%m:%d% H:%M:%S" ctime(FIELD_WITH_EPOCH) AS c_time

View solution in original post

Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎04-18-2013 10:15 AM

you can use the convert command to convert epoch to a human readabletimestamp

| dbquery Prod1 "select * from source where guid='$GUID$'" | convert timeformat="%Y:%m:%d% H:%M:%S" ctime(FIELD_WITH_EPOCH) AS c_time

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎08-06-2013 10:14 AM

You can use a calculated field (EVAL- in props.conf) to convert your fields to something pretty-printed.

0 Karma
Reply
Solved! Jump to solution

cramasta
Builder
‎04-18-2013 10:29 AM

I dont think dbconnect app has a way of being told what fields are timestamps other than what is used to create the index time of the data.

You will probably either have to do it with the convert command or you can possible do it within the sql query itself

Example I stole from the web

SELECT DATE_FORMAT(FROM_UNIXTIME(date_col), '%e %b %Y') AS date_formatted . . .

Reply
Solved! Jump to solution

Karunamon
Explorer
‎04-18-2013 10:18 AM

Okay, that definitely works, but it's going to make for some hellaciously ugly search strings considering I have about 7 or 8 different time fields in this query result. Is there a way to have the human readable format be the default for all queries and relevant fields?

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...