I am trying to index data from a query on an Oracle Database using DB Connect via batch input. Originally the field I tried to specify as the _time field was in 10-digit epoch format. My source type had the following settings that I thought would allow Splunk to recognize my desired field:
TIMESTAMP_FIELDS = CREATE_DATE
TIME_FORMAT = %s
MAX_DAYS_AGO = 100000
MAX_TIMESTAMP_LOOKAHEAD = 10
However, Splunk instead ignores my CREATE_DATE field and always defaults to using the current time of the query. After the above settings failed, I've also tried:
1. Changing the data type of the 10-digit CREATE_DATE to a string using to_char(CREATE_DATE).
2. Converting CREATE_DATE to the data type DATETIME using to_timestamp() and/or to_date(), putting the CREATE_DATE field first, and telling Splunk to identify the timestamp using the Auto settings.
3. Mixing and matching the above settings, to no avail.
None of this seems to work. Is there a default source type I should be using for batch inputs from Oracle DBs? Are there other settings in my source type that I need to change? Do I need to restart my instance of Splunk to force my changes in my source type to take effect? Should I be making these changes in my props.conf? I've looked in the %SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_dbx.log files, but don't see anything.
Any suggestions?
↧