Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pmagee
pmagee
Explorer
Member since:
08-30-2011
06-05-2020
Community Statistics
| Posts | 8 |
| Solutions | 2 |
| Karma Given | 0 |
| Karma Received | 14 |
| Member Since | 08-30-2011 |
Activity Feed
- Got Karma for Re: Splunk DB Connect Tail Input command not working. 06-05-2020 12:46 AM
- Got Karma for DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: DB Connect Timestamp Format. 06-05-2020 12:46 AM
- Got Karma for Re: SPLUNK DB Connect: Timestamp Not Working. 06-05-2020 12:46 AM
- Got Karma for Re: SPLUNK DB Connect: Timestamp Not Working. 06-05-2020 12:46 AM
- Got Karma for Re: SPLUNK DB Connect: Timestamp Not Working. 06-05-2020 12:46 AM
- Got Karma for Re: SPLUNK DB Connect: Timestamp Not Working. 06-05-2020 12:46 AM
- Got Karma for Re: SPLUNK DB Connect: Timestamp Not Working. 06-05-2020 12:46 AM
- Posted Re: DB Connect Timestamp Format on Monitoring Splunk. 01-14-2013 01:33 PM
- Posted Re: SPLUNK DB Connect: Timestamp Not Working on Splunk Search. 01-14-2013 01:30 PM
- Posted Re: SPLUNK DB Connect: Timestamp Not Working on Splunk Search. 01-14-2013 12:45 PM
- Posted Re: DB Connect Timestamp Format on Monitoring Splunk. 01-14-2013 12:40 PM
- Posted Re: Splunk DB Connect Tail Input command not working on Splunk Search. 01-09-2013 06:47 AM
- Posted DB Connect Timestamp Format on Monitoring Splunk. 01-08-2013 01:03 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 |
01-14-2013
01:33 PM
5 Karma
In more detail: I'm monitoring a table named dba_scheduler_job_run_details. I had to define my monitor as follows in the $SPLUNK_HOME/etc/apps/[your app name]/local/inputs.conf file. Note that I had to specify a SQL query for my monitor to get things back in the needed format.
[dbmon-tail://your_db_name/scheduler_job_run_details]
host = db_host
index = oracle_dbx
output.format = kv
output.timestamp = 0
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
query = select \r\n to_char(log_date,'YYYY-MM-DD HH24:MI:SS') log_date,\r\n log_id,\r\n owner,\r\n job_name,\r\n status,\r\n error# return_code,\r\n to_char(req_start_date,'YYYY-MM-DD HH24:MI:SS') req_start_date,\r\n to_char(actual_start_date,'YYYY-MM-DD HH24:MI:SS') actual_start_date,\r\n to_char(run_duration) run_duration,\r\n instance_id,\r\n session_id,\r\n to_char(cpu_used) cpu_used,\r\n additional_info\r\nfrom dba_scheduler_job_run_details {{WHERE $rising_column$ > ?}}
sourcetype = job_run_details
tail.rising.column = LOG_ID
interval = auto
table = scheduler_job_run_details
My rising column is LOG_ID. I did not specify a timestamp column in the monitor, but made sure that the appropriate field was returned as the first column in my results. The actual query (without all the extra \r\n codes inserted by Splunk for line breaks) looks like this:
select
to_char(log_date,'YYYY-MM-DD HH24:MI:SS') log_date,
log_id,
owner,
job_name,
status,
error# return_code,
to_char(req_start_date,'YYYY-MM-DD HH24:MI:SS') req_start_date,
to_char(actual_start_date,'YYYY-MM-DD HH24:MI:SS') actual_start_date,
to_char(run_duration) run_duration,
instance_id,
session_id,
to_char(cpu_used) cpu_used,
additional_info
from dba_scheduler_job_run_details {{WHERE $rising_column$ > ?}}
Can't explain why this works, but it does. It is important to note that it can't be configured correctly (as of DBX v. 1.0.6) through the UI. The monitor must be set up through edits of the inputs.conf file for whatever application needs the data.
... View more
01-14-2013
01:30 PM
4 Karma
In my case, I'm monitoring a table named dba_scheduler_job_run_details. I had to define my monitor as follows in the $SPLUNK_HOME/etc/apps/[your app name]/local/inputs.conf file. Note that I had to specify a SQL query for my monitor to get things back in the needed format.
[dbmon-tail://your_db_name/scheduler_job_run_details]
host = db_host
index = oracle_dbx
output.format = kv
output.timestamp = 0
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
query = select \r\n to_char(log_date,'YYYY-MM-DD HH24:MI:SS') log_date,\r\n log_id,\r\n owner,\r\n job_name,\r\n status,\r\n error# return_code,\r\n to_char(req_start_date,'YYYY-MM-DD HH24:MI:SS') req_start_date,\r\n to_char(actual_start_date,'YYYY-MM-DD HH24:MI:SS') actual_start_date,\r\n to_char(run_duration) run_duration,\r\n instance_id,\r\n session_id,\r\n to_char(cpu_used) cpu_used,\r\n additional_info\r\nfrom dba_scheduler_job_run_details {{WHERE $rising_column$ > ?}}
sourcetype = job_run_details
tail.rising.column = LOG_ID
interval = auto
table = scheduler_job_run_details
My rising column is LOG_ID. I did not specify a timestamp column in the monitor, but made sure that the appropriate field was returned as the first column in my results. The actual query (without all the extra \r\n codes inserted by Splunk for line breaks) looks like this:
select
to_char(log_date,'YYYY-MM-DD HH24:MI:SS') log_date,
log_id,
owner,
job_name,
status,
error# return_code,
to_char(req_start_date,'YYYY-MM-DD HH24:MI:SS') req_start_date,
to_char(actual_start_date,'YYYY-MM-DD HH24:MI:SS') actual_start_date,
to_char(run_duration) run_duration,
instance_id,
session_id,
to_char(cpu_used) cpu_used,
additional_info
from dba_scheduler_job_run_details {{WHERE $rising_column$ > ?}}
Can't explain why this works (it's NOT intuitive at all, especially based on the UI), but it seems to be doing fine so far.
... View more
01-14-2013
12:45 PM
1 Karma
I had exactly the same problem. In order to get things working, I had to convert the timestamp column in the database to text using Oracle's to_char(log_date,'YYYY-MM-DD HH24:MI:SS') function (if not using Oracle, use whatever equivalent function is applicable for your database). Then I had to specify both of the following in the inputs.conf file:
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly.
... View more
01-14-2013
12:40 PM
Ok. I think I have this figured out, but the solution is NOT intuitive.
It boils down to this: in order to get things working, I had to convert the timestamp column in the database to text using Oracle's to_char(log_date,'YYYY-MM-DD HH24:MI:SS') function. Then I had to specify both of the following in the inputs.conf file:
output.timestamp.format = yyyy-MM-dd HH:mm:ss
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss
The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once both format filters were set, everything seemed to start working correctly.
... View more
01-09-2013
06:47 AM
Based on your errors it looks like your connection to the database is failing. I would suspect that there is a space shortage in the database, probably in regards to the audit trail. The audit trail can't expand, so the login fails, which is why the column doesn't show up in the result set.
... View more
01-08-2013
01:03 PM
3 Karma
I am indexing a table which contains automated job results. I specified both a "Rising Column" and a "Timestamp Column" in the configuration of my monitor. The data is making it to the Splunk index, but with some issues. I often see the following error in the dbx.log file:
2013-01-08 15:52:12.062 dbx1556:WARN:ResultSetOutputPayload - Unrecognized timestamp format: '2013-01-08 15:51:50'
The date format of my timstamp column is formatted as "yyyy-MM-dd HH:mi:ss". It doesn't seem to make any difference whether I specify this in the monitor configuration or not.
Also, multiple rows of output from my table are often combined into single entries in the index, even though my rising column is tracking accurately.
How can I ensure that individual records are not combined and that the timestamp is correctly interpreted?
... View more
01-08-2013
12:41 PM
1 Karma
One thing I'm discovering is that the "rising column" and "log date" column names must be specified in ALL CAPS or they won't be recognized. There may be other issues with your particular query as well. I got some insight from checking the $SPLUNK_HOME/var/log/splunk/dbx.log file.
... View more
01-09-2012
11:53 AM
I am also having this issue, with Splunk 4.2.5. Has anyone had any luck figuring this out? I can't get any of my deployment apps to deploy...
... View more
