Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB connect: How to avoid output duplicate data into database?

amoswuchi
Loves-to-Learn Lots
‎03-01-2023 01:02 AM

I am using Splunk DB connect to push my data from Splunk to oracle database. However, I can't not figure out how to avoid pushing same data into database. For example, if I specify earliest=-5m and make execution schedule every second, same data will be pushed into database. I have tried to set earliest=-5m and make execution schedule every 5 minutes. But it still have a little bug. Assume next execution time is 12:00:00, the time field in the data is 11:59:59 and upload to Splunk takes 2 seconds, then the time that data being stored in Splunk is 12:00:01. At this time, this data may not be pushed to databased since Splunk automatically catch the time in the time field of data. Anyone know how to solve this?

 

Labels (1)
Labels
0 Karma
Reply

amoswuchi
Loves-to-Learn Lots
‎03-01-2023 01:55 AM

Thanks for your reply. But when I get the unique events every time, Splunk still pushes these unique events repeatedly to database. Do I misunderstand something?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2023 01:58 AM

Possibly. Do you compare your events with what is already in the database before pushing the new ones to the database?

0 Karma
Reply

amoswuchi
Loves-to-Learn Lots
‎03-01-2023 04:49 PM

Yes. I have "ID" and "Time" fields which are the same in a table, and other fields are sensor data. I am not sure how to get unique event like this type of data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 01:18 AM

OK so if you use a dbquery to retrieve the rows by ID and time, you would be able to tell if the event had already been stored in the database. Therefore, you can eliminate them and only send the remaining new events to the database.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2023 01:14 AM

If you can uniquely identify the events, you could filter what you are about to write to the database against what is already in the database.

For example, using a summary index instead of a database

index <source index>
...
| search NOT [search <target index>
              | fields <fields which uniquely identify events>]
| collect index=<target index>
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...