Solved: Re: Splunk DB Connect: How to ingest only recent O...

sshres5 · ‎01-05-2017

I am trying to ingest logs residing in Oracle DB through Splunk DB Connect (DB2), it dates back to couple of years. Currently it is only ingesting old logs, even though I have used a checkpoint value it doesn't seem to work.

I just want to ingest logs starting like a week ago.

sshres5 · ‎01-22-2017

So I got this working by manually appending the inputs.conf file's tail rising value and then using 'where' clause in the Rising column's SQL query.

View solution in original post

sshres5 · ‎01-22-2017

So I got this working by manually appending the inputs.conf file's tail rising value and then using 'where' clause in the Rising column's SQL query.

sjohnson_splunk · ‎01-06-2017

Add a where clause to your select statement that specifies a timestamp field > a week ago. Presumable you could use some sql date function to make the calculation on the fly vs. having to hard code an actual date/time value.

sshres5 · ‎01-06-2017

So I tried using the where clause, getting error. Probably I am not using the function properly
where TIMESTAMP >= '2017-01-01 00:00:00'

"None", caused by: Exception(' java.sql.SQLDataException: ORA-01843: not a valid month\n.',). "

sshres5 · ‎01-09-2017

I was able to get the query right, however 0 rows returned.

where TIMESTAMP >= timestamp'2017-01-01 00:00:00'

jplumsdaine22 · ‎01-06-2017

What does your inputs.conf (in $SPLUNK_HOME$/etc/apps/splunk_app_db_connect/local/inputs.conf) look like?

sshres5 · ‎01-06-2017

tail_rising_column_checkpoint_value = 1340340698871

Splunk DB Connect: How to ingest only recent Oracle DB logs?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!