Please pardon any incorrect terminology here as I try to explain the problem I am having. 🙂 I have a database that contains log information and I created a "rising" input in DB Connect with a 60 second refresh. The rising column is set to my timestamp field. I was under the impression that this means every 60 seconds, splunk will hit my database and pull in all of the latest records since the last fetch. It also seemed to work fine for a day or so. However, today I noticed my dashboard hadn't updated, and the last data pulled from the DB was on 12/15. I have no idea why it's not refreshing the data, so I am hoping that someone here can shed some light on possible misconfiguration on my part. Thank you! ... View more

I've got a date field that I extracted from log messages, and it is pulled from two different sources. One source zero-pads the numbers, so I get dates like 12/08/17, while the other does not and gives me 12/8/17. The problem is during sort, where I want a natural sort order, but the lexicographical sorting swaps the date entries around. Is there a way in splunk to force it to zero-pad the dates so they are sorted properly? I have seen references to using a strptime() function, but don't know how to use it in my particular example. Here is my search, which works, except that the X axis (date) has its columns swapped around due to the lexicographical sorting: source=OrderEventsTable service="tracking" event_details="shipped on*" | regex event_details="\d+/\d+/\d+" | dedup order_id | stats count as "shipped number" by shipped_date I only know that I would want to pass strptime %m/%d/%y, since %d zero-pads the day. I tried this, unsuccessfully, because it changed shipped_date into a decimal number. source=OrderEventsTable service="tracking" event_details="shipped on*" | regex event_details="\d+/\d+/\d+" | dedup order_id | stats count as "shipped number" by shipped_date | eval shipped_date=strptime(shipped_date,"%m/%d/%y") ... View more

More specifically, what do the available options mean? I can't find anything online that explains what you're supposed to put there. The available options don't seem to have any relevance to my database schema, which I would expect if it's indexing... ... View more

I've got a ordering log that includes two fields, order_id and shipped_date. I am playing with Splunk to see how hard it is to generate dashboards that give me visibility into order processing, so I'd like to be able to count the number of orders shipped each day. I have the search working after I created a custom field using a regex. The problem is that when I run the process that generates the log, the log (postgres database) can end up with duplicate entries. For example, it might add a record for order_id "12345" with a shipped_date "12/1/2017" if I run the process multiple times. It doesn't affect my overall processes, but for dashboard generation, this gives a very incorrect view of shipments. So my question is, is this something that can be taken care of by search easily, or is this something where I have to complicate the DB Connect source by doing it all in SQL? I think this means that my DB Connect source wouldn't be able to digest the entire DB table, but instead I'd have to tailor it to a specific use case. In this case, that would mean something like only returning unique results. ... View more