Hello
I am trying to get oracle unified logs into Splunk using Splunk DB connect and Oracle Add-on for Splunk.
`oracle:audit:unified` has default template with sql query :
SELECT *
FROM
(SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,u.*
FROM UNIFIED_AUDIT_TRAIL u)
WHERE EVENT_TIMESTAMP_UTC > ?
ORDER BY EVENT_TIMESTAMP_UTC ASC
But it's giving `java.sql.SQLException: ORA-12801: error signaled in parallel query server PPA7, instance -- (2) ORA-01843: not a valid month`
I tried changing checkpoint value multiple times but its giving same error.
I get results when I run
SELECT *
FROM
(SELECT CAST((event_timestamp at TIME zone 'UTC') AS TIMESTAMP) EVENT_TIMESTAMP_UTC,u.*
FROM UNIFIED_AUDIT_TRAIL u)
WHERE EVENT_TIMESTAMP_UTC > ?
but when I am adding `order by` its giving error. I am not sure if its a bug or I am doing something wrong.
↧