Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting two different date values in SQL and Splunk?

gajananh999
Contributor
‎09-22-2014 08:45 AM

Dear All,

I am connecting to the oracle database and i have multiple tables there so i wanted to merge more than two tables and get the data.
I trying to do sql inner join query but its not working for me so what i thought was get all the table data into splunk and merge it in splunk

Sql Query : sql + ROUND((MAX(PRS.END_DATE) - MIN(PRS.START_DATE)) * 3600,2) AS Run_Time_in_Sec + sql

I am getting Run_Time_in_sec as one value.

Splunk Query : search string + stats max(TOTAL) as max_total,max(END_DATE) as max_end_date,min(START_DATE) as min_start_date by ENTERPRISE_ID,RPT_QUEUE_ID | eval Run_Time_in_Sec=(max_end_date-min_start_date)*3600 | table Run_Time_in_sec

Run_Time_in_sec= some value;

Sql Query Run_Time_in_sec is different than splunk query Run_Time_in_sec

Why there is difference in final values

Can anyone tell me here where i am going wrong

0 Karma
Reply

pmdba
Builder
‎09-22-2014 08:16 PM

There does not appear to be any timestamp in your queries. Splunk isn't a relational database - it needs a timestamp in order to index data (it's all about when something happens). Besides the DBX documentation, try the Log File Analysis for Oracle 11g paper for a primer on getting data from Oracle into Splunk. Also check out this post on date formatting when indexing Oracle data into Splunk.

Reply

gajananh999
Contributor
‎09-22-2014 11:51 AM

Can anyone help me out here

0 Karma
Reply

ppablo
Retired
‎09-23-2014 02:03 PM

Hi @gajananh999

Did @pmdba's response answer your question? You upvoted it, but you didn't accept it as an answer by clicking on the "Accept" button below the content of their post. Just want to make sure because this question can be marked as solved (as well as any other of your questions with correct answers that haven't been accepted yet) so other people with the same question can find this post much easier. This will prevent people from asking the same questions over and over again. Plus, you both get karma points 🙂 thanks!

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...