Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting two different date values in SQL and Splunk?

gajananh999
Contributor
‎09-22-2014 08:45 AM

Dear All,

I am connecting to the oracle database and i have multiple tables there so i wanted to merge more than two tables and get the data.
I trying to do sql inner join query but its not working for me so what i thought was get all the table data into splunk and merge it in splunk

Sql Query : sql + ROUND((MAX(PRS.END_DATE) - MIN(PRS.START_DATE)) * 3600,2) AS Run_Time_in_Sec + sql

I am getting Run_Time_in_sec as one value.

Splunk Query : search string + stats max(TOTAL) as max_total,max(END_DATE) as max_end_date,min(START_DATE) as min_start_date by ENTERPRISE_ID,RPT_QUEUE_ID | eval Run_Time_in_Sec=(max_end_date-min_start_date)*3600 | table Run_Time_in_sec

Run_Time_in_sec= some value;

Sql Query Run_Time_in_sec is different than splunk query Run_Time_in_sec

Why there is difference in final values

Can anyone tell me here where i am going wrong

0 Karma
Reply

pmdba
Builder
‎09-22-2014 08:16 PM

There does not appear to be any timestamp in your queries. Splunk isn't a relational database - it needs a timestamp in order to index data (it's all about when something happens). Besides the DBX documentation, try the Log File Analysis for Oracle 11g paper for a primer on getting data from Oracle into Splunk. Also check out this post on date formatting when indexing Oracle data into Splunk.

Reply

gajananh999
Contributor
‎09-22-2014 11:51 AM

Can anyone help me out here

0 Karma
Reply

ppablo
Retired
‎09-23-2014 02:03 PM

Hi @gajananh999

Did @pmdba's response answer your question? You upvoted it, but you didn't accept it as an answer by clicking on the "Accept" button below the content of their post. Just want to make sure because this question can be marked as solved (as well as any other of your questions with correct answers that haven't been accepted yet) so other people with the same question can find this post much easier. This will prevent people from asking the same questions over and over again. Plus, you both get karma points 🙂 thanks!

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...