Solved: Re: Why can't I select field's alias name as 'risi...

jawaharas · ‎11-26-2018

The Splunk DB Connect app doesn't allow to select the custom field with alias name (EPOCH_TIMESTAMP) as 'Rising Column'. Any guidance will be helpful. Thanks.

DBConnect SQL:

SELECT 
    OS_USERNAME,
    DBUSERNAME,
    CLIENT_PROGRAM_NAME, 
    EVENT_TIMESTAMP,
    (CAST(EVENT_TIMESTAMP AS DATE) - DATE '1970-01-01')*24*60*60*1000 + MOD( EXTRACT( SECOND FROM EVENT_TIMESTAMP ), 1 ) * 1000 AS EPOCH_TIMESTAMP,
FROM sys.UNIFIED_AUDIT_TRAIL
WHERE EPOCH_TIMESTAMP > ?
ORDER BY EPOCH_TIMESTAMP ASC

FrankVl · ‎11-27-2018

Try it like this:

SELECT 
     OS_USERNAME,
     DBUSERNAME,
     CLIENT_PROGRAM_NAME, 
     EVENT_TIMESTAMP,
     (CAST(EVENT_TIMESTAMP AS DATE) - DATE '1970-01-01')*24*60*60*1000 + MOD( EXTRACT( SECOND FROM EVENT_TIMESTAMP ), 1 ) * 1000 AS EPOCH_TIMESTAMP,
 FROM sys.UNIFIED_AUDIT_TRAIL
 WHERE  (CAST(EVENT_TIMESTAMP AS DATE) - DATE '1970-01-01')*24*60*60*1000 + MOD( EXTRACT( SECOND FROM EVENT_TIMESTAMP ), 1 ) * 1000 > ?
 ORDER BY EPOCH_TIMESTAMP ASC

View solution in original post

FrankVl · ‎11-27-2018

Try it like this:

SELECT 
     OS_USERNAME,
     DBUSERNAME,
     CLIENT_PROGRAM_NAME, 
     EVENT_TIMESTAMP,
     (CAST(EVENT_TIMESTAMP AS DATE) - DATE '1970-01-01')*24*60*60*1000 + MOD( EXTRACT( SECOND FROM EVENT_TIMESTAMP ), 1 ) * 1000 AS EPOCH_TIMESTAMP,
 FROM sys.UNIFIED_AUDIT_TRAIL
 WHERE  (CAST(EVENT_TIMESTAMP AS DATE) - DATE '1970-01-01')*24*60*60*1000 + MOD( EXTRACT( SECOND FROM EVENT_TIMESTAMP ), 1 ) * 1000 > ?
 ORDER BY EPOCH_TIMESTAMP ASC

jawaharas · ‎11-27-2018

Perfect..! Thank you so much @FrankVI

Why can't I select field's alias name as 'rising column' in DBConnect 3.x?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...