Hi,
I ran into something yesterday, and wanted to pick a few brains about it. The sample SQL code for the syslog export filter in clearpass 6.3 has code along these lines:
select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp <= --END-TIME--))
While testing, I bumped into a duplicate record in my syslog data. My guess is that the record was cut EXACTLY at --END-TIME-- of one of the intervals. Assuming clearpass iterates through the logs by setting the next START-TIME to the previous END-TIME, the example select logic is flawed, in that it's using ">=" and "<=", meaning that a timestamp right on the edge would be picked up twice.
I'm considering modifying my code custom export filter as follows:
select blaa from wherever where ((timestamp >= --START-TIME--) AND (timestamp < --END-TIME--))
(note removing the "=" on the end time test.)
Does this make sense, or am I barking up the wrong tree because Clearpass makes sure that END-TIME will never match the next START-TIME somehow, or that the START and END times will NEVER match a timestamp in the database? If this does seem legit, then perhaps Clearpass should amend the sample SQL when you hit the link it offers.
Mike
Cornell University