All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Question for Database Field Extraction

cjs1031
Explorer
‎03-14-2017 02:45 PM

I am using DB connect and my customer has a need for an alert setup that runs the search string and looks to see if there are any new records in the table, if so, send an e-mail with all the details. Here is what I am running into. If I tell the string to search for time stamps is just uses the Splunk time stamp and not the create date and time of the actual record. This in turn causes this alert to check, see there are entries and shoots an email with every entry, even old ones. I think I need to change my string to find the latest set using a field called "create_date" however I am not sure how I would make this work. Maybe regex? I need some expertise on this. Example below.
create_date="2017-03-14 18:47:58.623"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-14-2017 05:19 PM

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like 

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-14-2017 05:19 PM

The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem.

If you can't do that, you should be able to use that as a field.

mysearch create_date>"2017-03-13" | whatever else you want ...

or whatever.

Using your create_date time above, I can do this run-anywhere example:

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date>"2017-03-15"

(Returns no results)

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-15"

Returns the one result it should. Other variations (with times) seems to work fine. Like 

| makeresults | eval create_date="2017-03-14 18:47:58.623" | search create_date<="2017-03-14 18:47:58.622"

Which doesn't return anything, but changing the time at the very end to "...623" returns it.

0 Karma
Reply
Solved! Jump to solution

cjs1031
Explorer
‎03-15-2017 12:28 PM

Can you clarify this?
"The field to use as the timestamp is configurable on the input. If you can change it there, this will solve your whole problem." It sounds like you know what I need to do however I am such a novice I am not fully understanding.

0 Karma
Reply
Solved! Jump to solution

cjs1031
Explorer
‎03-16-2017 12:43 PM

Thanks! That did it!

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎03-15-2017 06:55 PM

Sure.

When you create the DB Connect input (or when you edit it) there is a whole section of the input building that involves picking the timestamp column. Here's the section in the docs for that. Making sure that's set correctly so that Splunk uses the right column as the timestamp column will solve all the problems you've mentioned.

If you need more help with that, you'll have to be more specific about DB type, what sort of input is set up and so on.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...