Indeed to_date is a Oracle function. I am connecting to MS SQL server, so I wonder if I need to do a conversion of the rising column, which is a date one. Splunk documentation says:
When your rising column is a date, make sure you wrap the checkpoint parameter in a to_date, such as: {{AND $rising_column$ > to_date(?,'YYYY-MM-DD"T"HH:MI:SS')}}. The format you use must be the same as the format that you selected.
But this example is for Oracle.
Anyway I removed the to_date statement and things seem to work.
... View more