Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect Convert Epoch to DateTime

justinfranks
Path Finder
‎04-10-2014 04:11 PM

Hello,

I have an MySQL database and I am trying to index some data from it. I can connect with no problems and I can index the data if I use:

select * from <table>

However, the date field is stored as an INT.

I have tried the following code but it doesn't work.

select d.productid, d.amount, o.orderid, cast(o.`date` as datetime)
from xcart_orders o, xcart_order_details d  
where o.orderid = d.orderid {{ and o.$rising_column$ > ? }}

How would I convert from Unix Epoch time store as an INT to something that Splunk will recognise as DATETIME? Normally, in SQL I would use DATEADD(); but Splunk doesn't seem to recognise that command.

0 Karma
Reply

jsilverbears
Path Finder
‎04-01-2016 03:00 PM

I am seeing this too. You can use the FROM_UNIXTIME(o.date) to get the UTC readable version of the int. If you want to convert that to your timezone, I am not sure how to do that when just pulling the data in with MySQL since DB Connnect 2, the one I am using will not allow a query with CONVERT_TZ to actually be used and return results (this is true at the time I am typing this an may be corrected later). You can however do that after the fact in the Splunk queries.

You probably have already figured this out but I thought it may be helpful for anyone else seeing this.

0 Karma
Reply

harshavrath
Contributor
‎04-16-2014 03:11 AM

Hi,

If your rising column field is your date field that you are mentioning then its not possible.

If its not then you can use

select to_char(date_attribute,'YYYY-MM-DD HH24:MI:SS') date_attribute,id from table_name {{WHERE $rising_column$ > ?}}

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2014 04:59 AM

When you say "it doesn't work", what error are you seeing?

Have you looked at this answer? http://answers.splunk.com/answers/126547/db-connect-epoch-timestamp

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justinfranks
Path Finder
‎04-13-2014 04:41 PM

Hi,

When running that exact command without the rising column bit, i get:

productid   amount  orderid cast(o.`date` as date time)

with no data in the cast column.

Unfortunately, Splunk is not recognising the date when it gets indexed, so the "_time" field is when the data was indexed. This is why I am trying to convert it before it is indexed.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...