Solved: When Setting of DbConnect Input

raghu0463 · ‎07-24-2017

Hello,

I have a doubt regarding time stamp column in db connect inputs,
I have a table in which there are 4 time stamp columns i.e when the firstcasecreatedtime, firstcaseclosedtime, secondcasecreatedtime, secondcaseclosedtime. lets the oldest date I have In firstcasecreatedtime column is 5/16/2006. and if I select that column as time stamp column in db connect input set parameters. how does it match with the other column time stamps. the earliest date I have in secondcaseclosedtime is 7/23/2017.

Thanks

bheemireddi · ‎07-25-2017

If you select current_index_time, then the all the events will be indexed with the current time (_time), even if the database has the events from the previous years..

View solution in original post

bheemireddi · ‎07-25-2017

Timestamp columns in the table might give an idea what they are..Might be good idea to check with the data owner..Sometimes SMEs of the data might give you better understanding what every field is in the DB. Even if you select one of your time stamp columns as the _time, you will still be able to report on all the other timestamps as well.Mostly you might want the timestamp column when the event/incident first happened/created.

raghu0463 · ‎07-25-2017

then what is the best way to index this type of data when there are 4 columns in the table with time stamps pls

bheemireddi · ‎07-25-2017

If you select current_index_time, then the all the events will be indexed with the current time (_time), even if the database has the events from the previous years..

raghu0463 · ‎07-28-2017

If i Give current index time, will there will be any change in the time for the columns which are imported from the tables. My aim is to don't change the time stamp from the columns.

tmuth_splunk · ‎07-28-2017

Splunk won't change the values of the columns in the table as it indexes them, it will set the splunk field _time to the current_index_time.

jplumsdaine22 · ‎07-25-2017

The time stamp column is the column whose value Splunk will assign to _time. This means that when you select a time range to search in splunk, that's the value it will look for.

You can still search the other columns if you wish, although depending on the data types they may be stored by splunk as text values rather than timestamps. You can use the eval strftime function to convert the time string to a timestamp, which will let you compare times.

The question "how does it match with the other column time stamps" isn't very clear. What is 'it'? What do you mean by match?

raghu0463 · ‎07-25-2017

If i give one column to for timestamp and the indexer will store the data based on that right, and it will have dates like 2006 something, but about the other columns which have dates like 2010

tmuth_splunk · ‎07-25-2017

You can only assign one column as the indexed timestamp or _time field. This also applies to the concept of "rising column". You can still index the other timestamp columns, but the date-time picker in the splunk UI won't filter on those. You'll have to use SPL to filter on the other timestamp columns.

raghu0463 · ‎07-25-2017

what happens if i give current_index_time in that case i.e when i have 4 timestamp columns ?

When Setting of DbConnect Input

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM