Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect: How to create a trigger to synthesize raising column values?

splunkIT
Splunk Employee
Splunk Employee
‎11-15-2013 04:12 PM

In that Database Input view:
Splunk>Manager>>Data>>Data Inputs>>new, under the Tail Input -
Rising Column field, there is a brief explanation:

" Choose a column with an increasing value. Such as a creation or
modification timestamp or a sequential identifier. You can also create a
trigger to synthesize such a value."

alt text

What is intended by "create a trigger to synthesize such a value"? Is it referring to something that can be done in Splunk, or in our database?

Tags (1)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-15-2013 04:56 PM

As ziegfried says, this refers to modifications to the database schema. Besides using a trigger, some database servers can may be able to do something using "virtual columns" or "computed columns" (e.g., to convert a textual only time stamp into a numeric or datetime value). But this approach can be used without modifying the database by defining it in Splunk via a SELECT instead of changing the schema.

Reply

ziegfried
Influencer
‎11-15-2013 04:20 PM

Here’s an example use-case:

You have a table "MYTABLE" which does not contain any column that is viable for being used as the rising column for a tail database input. You want to index all newly inserted rows into the table. The suggested approach is to alter the schema and add a new column (SPLUNK_RISINGCOL in the example below). Then create a trigger that automatically sets the value of this column for newly inserted rows based on a sequence, so new rows will always get a bigger value.

The modifications need to be done on the database itself, not in the Splunk side. Of course this can only be done if the database schema can be modified.

The details on how to setup such a trigger are very specific to the kind of database. Here’s an example for Oracle:

ALTER TABLE MYTABLE ADD COLUMN SPLUNK_RISINGCOL NUMBER(11);

CREATE SEQUENCE SEQ_MYTABLE_SPLUNK_RISINGCOL START WITH 1 INCREMENT BY 1;

CREATE OR REPLACE TRIGGER MYTABLE_SPLUNK_RISINGCOL
BEFORE INSERT ON MYTABLE
FOR EACH ROW
BEGIN
    SELECT SEQ_MYTABLE_SPLUNK_RISINGCOL.NEXTVAL INTO :NEW.SPLUNK_RISINGCOL FROM DUAL;
END;

Similar approaches can be used for updated rows as well by creating an BEFORE UPDATE trigger.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...