Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DB Connect: Why datetime field in mssql is imported as epoch time and how to convert it to a time-searchable value?

krwinters11
Path Finder
‎11-06-2014 12:37 PM

I have been unable to find a working solution to my problem. My datetime field in my mssql database looks like it is imported as epoch time. This results in me only being able to search via indexed time, when I would like to search by my datetime field. I can convert it to ctime, which makes it look correct to the user, but this is a string, and not a time-searchable value.

The closest answer I have found looks like my datetime field should be of type timestamp. I am unable to change my data types, so a solution/work-around would be great!

Thank you in advance 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎11-06-2014 02:54 PM

Hello, I used to have this problem and my workaround was to convert the Time to varchar in the SELECT statement and, at same time, use the option output.timestamp.parse.format in the DB Connect - This option is not available on the GUI, only via config file.

Here how the $SPLUNK_HOME/etc/apps/dbx/local/inputs.conf looks like:

[dbmon-tail://XXX_ACS/ACS Account Lockout]
index = ws_xxx_acs
interval = 300
output.format = kv
output.timestamp = 1
output.timestamp.column = CreationTimeUTC
output.timestamp.parse.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
output.timestamp.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
query = SELECT convert(varchar,dvA.CreationTime,120) + ' +0000' AS CreationTimeUTC, dvA.EventId, dvA.EventMachine AS Server, dvA.CollectionTime FROM AdtServer.dvAll5 AS dvA WHERE dvA.EventId IN (4740,644) {{ AND dvA.$rising_column$ > ? }}
sourcetype = xxx_acs_lockout
table = dvAll5
tail.rising.column = CollectionTime
disabled = 0

I normally configure everything via GUI, disable it via GUI and after all edit the inputs.conf to add the output.timestamp.parse.format. After edited the file I use the command $SPLUNK_HOME/bin/splunk reload monitor, get back to the GUI to double check and enable to input.

Note: If you need to use the Timestamp as the rising column, you'll need to point it to the original column and not to the converted one, as per my example.

Ps.: One more tip, if you add the DB Input, it'll start enabled by default. To prevent start collecting data before you change the inputs.conf, just schedule it to run using cron style to something like 1 1 1 1 1, so you'll have enough time do disable it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎11-06-2014 02:54 PM

Hello, I used to have this problem and my workaround was to convert the Time to varchar in the SELECT statement and, at same time, use the option output.timestamp.parse.format in the DB Connect - This option is not available on the GUI, only via config file.

Here how the $SPLUNK_HOME/etc/apps/dbx/local/inputs.conf looks like:

[dbmon-tail://XXX_ACS/ACS Account Lockout]
index = ws_xxx_acs
interval = 300
output.format = kv
output.timestamp = 1
output.timestamp.column = CreationTimeUTC
output.timestamp.parse.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
output.timestamp.format = yyyy-MM-dd' 'HH:mm:ss' 'Z
query = SELECT convert(varchar,dvA.CreationTime,120) + ' +0000' AS CreationTimeUTC, dvA.EventId, dvA.EventMachine AS Server, dvA.CollectionTime FROM AdtServer.dvAll5 AS dvA WHERE dvA.EventId IN (4740,644) {{ AND dvA.$rising_column$ > ? }}
sourcetype = xxx_acs_lockout
table = dvAll5
tail.rising.column = CollectionTime
disabled = 0

I normally configure everything via GUI, disable it via GUI and after all edit the inputs.conf to add the output.timestamp.parse.format. After edited the file I use the command $SPLUNK_HOME/bin/splunk reload monitor, get back to the GUI to double check and enable to input.

Note: If you need to use the Timestamp as the rising column, you'll need to point it to the original column and not to the converted one, as per my example.

Ps.: One more tip, if you add the DB Input, it'll start enabled by default. To prevent start collecting data before you change the inputs.conf, just schedule it to run using cron style to something like 1 1 1 1 1, so you'll have enough time do disable it.

0 Karma
Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-06-2014 03:52 PM

Thanks! I'll give this a try.

0 Karma
Reply
Solved! Jump to solution

krwinters11
Path Finder
‎11-10-2014 06:23 AM

It doesn't seem to change my format.

0 Karma
Reply
Solved! Jump to solution

musskopf
Builder
‎11-10-2014 01:07 PM

Have you updated the query as well to output the timestamp as varchar?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...