Re: What's the correct way to get real-time contin...

AlgenolSupport · ‎06-09-2015

It looks like the smallest Execution Frequency allowed as 1 second, which is close enough for my purposes, but I keep getting duplicate results entered into the database. Is there something with the search term that needs to be specific? How does it know if it already output a specific event? I've been working on this for awhile with no other options at this point. Thanks for anything that can point me in the right direction!

jcoates_splunk · ‎06-13-2015

Hi,

you'll need to use a tailing input and a rising column to prevent duplication. If you don't have a row id column to use, it will not be as good. Using timestamp as a rising column is less-than-ideal, but sadly common. It's less than ideal because of two big reasons:
1) daylight savings / timezones / epochal vs local
2) multiple events with same timestamp
If you don't care about or can guarantee that you will avoid both of those, proceed at will.

dwtung · ‎07-31-2015

How do you set this up? I have the same issue. In the database table I am outputting to, I have a _time, device_type and user_id columns. I only want 1 record per user_id and device_type, but the _time column is also unique.

Also, I tried putting a unique index on the DB table, but when it errors on insert it aborts the entire batch

AlgenolSupport · ‎08-03-2015

I actually did not mean to mark this as accepted. My question was about real-time continuous OUTPUT. The answer provided looks to be for input from a DB.

What's the correct way to get real-time continuous output using DB Connect v2?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases