Hello all,
I setup DB connect input to query data from SQL server and store it in the index of Splunk. During the setup of DB connect input, i was prompted to select one column in the data to represent the time of the event or choosing the indexing time as event time.
Problem is my event has start time and end time columns, doesn't matter what column I select, in the end I will miss out some events during Splunk search.
For example if I select start time as event time. When Splunk searchs for events between 1PM and 3PM, it only returns those events that have StartTime between 1PM and 3PM, and miss out those events that start earlier than 1PM, but end after 1PM/3PM
In the picture below, only event A and B will show up at the result of the search, but i will miss out event C and D.
Do you have any solution for this?
Thanks
... View more