Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dbxquery eval _time as column

zhatsispgx
Path Finder
‎02-14-2018 03:32 PM

Hi all,

I am trying to set the values in column insertepoch in a mysql database to be the new _time index in splunk to be able to timechart. The following search is returning with 0 results. In fact, when I take the timechart off, the query runs, however, I don't see it working and I'm not able to find anything in the way of a solution to this. 

| dbxquery shortnames=1 connection="myconn" query="SELECT * FROM `mydb`.`mytable` ORDER BY Id DESC Limit 200" |
eval insertepoch=strftime(insertepoch, "%Y-%m-%d %H:%M:%S.%N") |
eval _time=insertepoch | timechart span=1h count(_raw)

Please help! Thanks!

0 Karma
Reply

micahkemp
Champion
‎02-14-2018 06:00 PM

Disclaimer: I can’t test this right now

Try explicitly defining your needed fieldnames in your query, including insertedtime (which seems to be all that is needed for your example).

 | dbxquery shortnames=1 connection="myconn" query="SELECT insertepoch FROM `mydb`.`mytable` ORDER BY Id DESC Limit 200"
 | eval _time=insertepoch
 | timechart span=1h count

If that doesn’t work, please add the output of:

 | dbxquery shortnames=1 connection="myconn" query="SELECT insertepoch FROM `mydb`.`mytable` ORDER BY Id DESC Limit 200" |
0 Karma
Reply

zhatsispgx
Path Finder
‎02-15-2018 10:18 AM

Tested explicitly defining the fieldnames in the query and it didn't work. The output of | dbxquery shortnames=1 connection="myconn" query="SELECT insertepoch FROM mydb.mytable ORDER BY Id DESC Limit 200" | is an epoch timeformat which gets converted with eval insertepoch=strftime(insertepoch, "%Y-%m-%d %H:%M:%S.%N") |

sample output before eval:

1518714601
1518711331
1518710573

sample output after eval:

2018-02-15 11:15:02.000000000
2018-02-15 10:10:01.000000000
2018-02-15 09:15:31.000000000

I am guessing this has something to do with the data not being indexed.

0 Karma
Reply

micahkemp
Champion
‎02-15-2018 10:34 AM

I just edited my answer.

You don't need to do strftime if your value is already in epoch format. I'm sorry I missed this earlier, I was responding from my phone and didn't realize it was strftime instead of strptime to convert to epoch.

0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...