I am using DB connect and my customer has a need for an alert setup that runs the search string and looks to see if there are any new records in the table, if so, send an e-mail with all the details. Here is what I am running into. If I tell the string to search for time stamps is just uses the Splunk time stamp and not the create date and time of the actual record. This in turn causes this alert to check, see there are entries and shoots an email with every entry, even old ones. I think I need to change my string to find the latest set using a field called "create_date" however I am not sure how I would make this work. Maybe regex? I need some expertise on this. Example below.
create_date="2017-03-14 18:47:58.623"
The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.
If you can't do that, you should be able to use that as a field.
mysearch create_date>"2017-03-13" | whatever else you want ...
or whatever.
Using your create_date time above, I can do this run-anywhere example:
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"
(Returns no results)
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"
Returns the one result it should. Other variations (with times) seems to work fine. Like
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"
Which doesn't return anything, but changing the time at the very end to "...623" returns it.
The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.
If you can't do that, you should be able to use that as a field.
mysearch create_date>"2017-03-13" | whatever else you want ...
or whatever.
Using your create_date time above, I can do this run-anywhere example:
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"
(Returns no results)
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"
Returns the one result it should. Other variations (with times) seems to work fine. Like
| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"
Which doesn't return anything, but changing the time at the very end to "...623" returns it.
Can you clarify this?
"The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem." It sounds like you know what I need to do however I am such a novice I am not fully understanding.
Thanks! That did it!
Sure.
When you create the DB Connect input (or when you edit it) there is a whole section of the input building that involves picking the timestamp column. Here's the section in the docs for that. Making sure that's set correctly so that Splunk uses the right column as the timestamp column will solve all the problems you've mentioned.
If you need more help with that, you'll have to be more specific about DB type, what sort of input is set up and so on.