Hi,
I working with splunk app for DB connet, and always have the same problem.
when I run the query in the preview page I get the timestamp column in epoch time (I don't know why) with 13 digits.
When you want to create new DB input, you need to fill some parameters and one of them is rising column (if its tale query).
I choose this column for rising column and also for timestamp cloumn. I need to choose between Epoch Time to Java Date.
Since the data viewd like epoch time, I choose wpoch time and then in the last parameter choose Output Timestmp format as YYYY-MM-dd HH:mm:ss.
Example:
My OracleDB with column called: Creation_Date
Rising Column: Creation_Date
Timestamp Column: Creation_Date ; Epoch TIme
Output Timestamp Format: YYYY-MM-dd HH:mm:ss
My Orcale DB: Splunk:
13-May-2015 1431496124000
12-May-2015 1431423563000
The Problems:
1. Splunk don't recognize this time as _time
2. If I tryied to manually force _time to get this time with |eval Creation_Date=strfime(Creation_Date,"%F %T") | _time=strptime(Creation_Date,"%F %T") - This is doesn't work, the _time is not correct.
3. Splunk 13 digits number is not exactly Epoch time (Epoch is 10 digits: the number of seconds from 1.1.1970) - it gives the time in milli-seconds - maybe because of this Splunk cannot convert it back to _time.
I will be happy to hear how to handle with those cases.
Omer Rudik.
↧