Solved: Re: Splunk DB Connect: How to ingest only recent O...

sshres5 · ‎01-05-2017

I am trying to ingest logs residing in Oracle DB through Splunk DB Connect (DB2), it dates back to couple of years. Currently it is only ingesting old logs, even though I have used a checkpoint value it doesn't seem to work.

I just want to ingest logs starting like a week ago.

sshres5 · ‎01-22-2017

So I got this working by manually appending the inputs.conf file's tail rising value and then using 'where' clause in the Rising column's SQL query.

View solution in original post

sshres5 · ‎01-22-2017

So I got this working by manually appending the inputs.conf file's tail rising value and then using 'where' clause in the Rising column's SQL query.

sjohnson_splunk · ‎01-06-2017

Add a where clause to your select statement that specifies a timestamp field > a week ago. Presumable you could use some sql date function to make the calculation on the fly vs. having to hard code an actual date/time value.

sshres5 · ‎01-06-2017

So I tried using the where clause, getting error. Probably I am not using the function properly
where TIMESTAMP >= '2017-01-01 00:00:00'

"None", caused by: Exception(' java.sql.SQLDataException: ORA-01843: not a valid month\n.',). "

sshres5 · ‎01-09-2017

I was able to get the query right, however 0 rows returned.

where TIMESTAMP >= timestamp'2017-01-01 00:00:00'

jplumsdaine22 · ‎01-06-2017

What does your inputs.conf (in $SPLUNK_HOME$/etc/apps/splunk_app_db_connect/local/inputs.conf) look like?

sshres5 · ‎01-06-2017

tail_rising_column_checkpoint_value = 1340340698871

Splunk DB Connect: How to ingest only recent Oracle DB logs?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...