I am have the following stanza in my inputs.conf.
[dbmon-tail://DB/TABLE]
interval = 1m
query = SELECT SL_UID,SL_TIMESTAMP,from_tz(SL_TIMESTAMP, 'Europe/London') AT TIME ZONE 'UTC' AS SL_TIMESTAMP_UTC FROM schema.TABLE {{WHERE $rising_column$ > ?}}
tail.rising.column = SL_UID
output.format = kv
output.timestamp.column = SL_TIMESTAMP
sourcetype = mydata
disabled = 0
index=test
When I run the query from Oracle's SQL Developer, I get the expected one hour difference between SL_TIMESTAMP
and SL_TIMESTAMP_UTC
.
The output from Splunk DBX is
2014-04-08T15:00:45.000 SL_UID=21342912 SL_TIMESTAMP_UTC=
Having decompiled dbx.jar
, I think the problem is in com.splunk.util.Utils.unescapeString()
not unescaping the single quote '
correctly.
Is this a bug or have I configured something incorrectly?
Single quotes can be escaped with a back slash: \'