Splunk DB Connect - dbquery inline search and time filtering not working

Hi all,

I am currently working on various Dashboards for my company, for some of them i need to request data from local databases using DB Connect (data are nmon monitoring of AIX Lpar).

As i am using "dbquery" command, i'm not indexing any local data and this only inline searches. (locally indexing data from these DB is possible with DB Connect but if would represent a large amount of data being redundant in our information system)

This works very fine, but my problem is that i can't get any time filter to work, as far using inline search than timepicker in my XML code.

Example search:

| dbquery nmondb "select hostname as hostname, ZZZZ as timestamp, ((EC_User_PCT+EC_Sys_PCT+EC_Wait_PCT+EC_Idle_PCT)*entitled/100) as conso,((EC_User_PCT+EC_Sys_PCT+EC_Wait_PCT+EC_Idle_PCT)*entitled/100)/virtualCPUs as percent_conso from lpar where year(ZZZZ)=2013;" limit=100 earliest=-h | table * | fields timestamp, hostname, conso, percent_conso

Output sample:

    ZZZZ    hostname    conso   percent_conso

1 1357858873.000 gpXXXXX 0 0 2 1357859114.000 gpXXXXX 8.65223975375652 0.508955279632737 3 1357859354.000 gpXXXXX 10.4659196991014 0.615642335241262 4 1357859594.000 gpXXXXX 10.5134396686173 0.618437627565721

the fields "ZZZZ" contains the SQL column date (in SQSL dateformat), for Splunk to understands the timestamp, i successfully used this example using "rename", then Splunk seems to understand the conversion and show a human readable timestamp:

| dbquery nmondb "select hostname as hostname, ZZZZ, ((EC_User_PCT+EC_Sys_PCT+EC_Wait_PCT+EC_Idle_PCT)*entitled/100) as conso,((EC_User_PCT+EC_Sys_PCT+EC_Wait_PCT+EC_Idle_PCT)*entitled/100)/virtualCPUs as percent_conso from lpar where year(ZZZZ)=2013;" limit=100 earliest=-h | table * | rename ZZZZ As _time | fields _time, hostname, conso, percent_conso

Output sample:

    _time   hostname    conso   percent_conso

1 1/11/13 12:01:13.000 AM gpXXXXX 0 0 2 1/11/13 12:05:14.000 AM gpXXXXX 8.65223975375652 0.508955279632737 3 1/11/13 12:09:14.000 AM gpXXXXX 10.4659196991014 0.615642335241262 4 1/11/13 12:13:14.000 AM gpXXXXX 10.5134396686173 0.618437627565721

So a value of initial SQL timestamp "1357858873.000" is converted by Splunk into "1/11/13 12:01:13.000 AM"

This works with timechart BUT i can't get any time filtering to work, even inside the search itself, i guess renaming the filed is not enough...

I really need this to work to successfully introduce Splunk into our company...

Thanks you very much for your help!