Hi,
Background:
I am trying to index SQL source where i have to give alias to table column names.
My query:
WITH T1 AS( SELECT xErrors AS [Error_ID],MAX(DATEADD(s, dtErrorDate, '1970-01-01 00:00:00')) AS [Timestamp],sType AS [Type],sFile AS [File],sLine AS [Line],sDesc AS [Description] from HS_Errors group by xErrors, sType, sFile, sLine, sDesc)SELECT * FROM T1 order by [Error_ID]
Where xErrors is an identity column, so i put it as rising column.
I tried putting it in inputs.conf file as below:
[dbmon-tail://sa-sdsql05_HelpSpot/helpspot_errors]
index = default
interval = auto
output.format = mkv
output.timestamp = 1
output.timestamp.column = TimeStamp
output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSSXXX
output.timestamp.parse.format = yyyy-MM-dd HH:mm:ss.SSSXXX
query = WITH T1 AS( SELECT xErrors AS [Error_ID],MAX(DATEADD(s, dtErrorDate, '1970-01-01 00:00:00')) AS [Timestamp],sType AS [Type],sFile AS [File],sLine AS [Line],sDesc AS [Description] from HS_Errors group by xErrors, sType, sFile, sLine, sDesc ) SELECT * FROM T1 {{WHERE $rising_column$ > ?}} order by $rising_column$
sourcetype = helpspot_errors
tail.rising.column = Error_ID
disabled = 0
If i run query in SQl management studio it gives me an output as following columns :
Error_ID Timestamp Type File Line Description
which is fine, but the problem is when data gets indexed in SPLUNK, it doesn't make column headers as fields but it shows me in raw data as below:
6:29:06.716 AM
2014-01-13 06:29:06.716Z Error_ID=1171961 Timestamp=1389393351.000 Type=Database File="C:\\Program Files (x86)\\helpspot\\helpspot\\helpspot\\lib\\class.person.status.php" Line=32 Description="SQLState: 22018
Error Code: 245
Message: [Microsoft][SQL Server Native Client 10.0][SQL Server]Conversion failed when converting the varchar value 'HS-82493' to data type int."
I want to have Error_ID,Timestamp,Type,File,Line,Description as automatically created interesting fields. Please help me.
... View more