Oracle connnector raw data tap has events that do not appear to get processed into Sentinel.

Oracle connnector raw data tap has events that do not appear to get processed into Sentinel.

There are 2 reasons why you might see events in the raw data tap that do not show up in the search or live views. Chain events and no new records in the audit log.

1. Chain events, meaning multiple events that make up 1 "major" event.  There is a chain sequence to these where in the end the collector "combines them" and we get 1 event so the parts of the chain make up that single event.  If you look at the chain sequence field in the raw data tap you will see that it increases for the "set" of events. this is also why particular collectors are called a "stateful" collector, meaning it has to get all the "pieces" of the events combined which makes the collector have states of events before you will see the final result.

2. There is no new data to process. So if the Collector immediately queries the database again, with the same offset. Because there's no new data, we'll get exactly the same record set back again - that single record. (we don't increment the offset as there's a chance that we'll get more records within the single-second timeslice of the original offset). The Collector keeps track of what records it has already seen within the "timeslice" defined by the OFFSET, so it will properly recognize that this TRUNCATE TABLE record has already been seen, and ignore it. Also since there are no NEW records in the dataset, it will then pause a bit before querying again.  So this is exactly the behavior expected if the audit trail contains exactly one record (the TRUNCATE TABLE record) and no new records are ever added.