Having an object audit trail is certainly a nice thing to have. It requires two things, though: 1) a unique ID per object that never gets reused, and 2) a dedicated field to mark an object as deleted.

The 'dedup' command returns the latest matching event from the event creation, or one can specify;

stats latest(custom_timestamp)

The more I work with Splunk, the more value is apparent in historical data. You can create queries in SPL that show the life of a record, similar to audit trails.

It's really a change drastic in concept from self updating records, but we've been able to work around it by creating DBX inputs in a specific format that benefits the historical references.

Currently you can mark events for deletion, but it does not recover disk space. Would be a nice feature.

The expected function of what I'm aiming for is ease of use for end users, limiting SQL traffic, lowering index space requirements, and lowering license usage.

With look-ups, the data isn't as live as could be. The syntax is also different. While that works for advanced users, I'd rather have the option to compare snapshots of tables via; 'index=foo index=bar', etc.

We could do this all from SQL scripts, sure but I'd like live, up-to-date DB reports being generated in Splunk, without duplicate data, without having to delete records, and without having to update report queries every run.

Yes, lookups do not have to be time series in nature since at their simplest they simply decorate or enrich existing events or results, though temporal lookups are possible and might be another area for you to explore: http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

You are probably not the only shop in the world with that use case. However, the vast majority of customers I have talked to are using DB Connect to get data from Splunk to a RDB, from an RDB to Splunk, or as a way to enrich data in Splunk with data from a DB.

To restate my point from earlier, you could certainly script something to meet your goals, but I'm not sure I understand what you would hope to gain from this use case. Splunk is designed to store and search upon time series data. Maybe if I understood how you intended to search the data in Splunk it would help me better understand.

I don't mind that answer but I think it's a limitation that can easily be overcome. I'm not exactly asking for the world here, it's a data source. Excluding non-timed events seems like a completely self imposed limitation. Same with events that don't update.

CSV lookup and SQL query is possible without stamps, but indexes are not? I don't buy it. You're missing an entire selling point, simple indexed reporting on databases that you can cross compare with other inputs.

I understand the indexes can not be updated, but they can be marked for removal and excluded from searches and queries.

I really find it difficult to believe that we are the only shop with database connections that aren't tailing logs.

As it stands, the functionality of DBX is limited to sequential event logs stored in DB's that never update, only append. Anything else where records are static, or updated in place can not be indexed without complication.

I'm not sure I was able to accurately convey what I meant with regard to update in place. Each row in Splunk's indexes are essentially "WORM". The automation would involve a scripted input that performs the automation of comparing what is in Splunk's most recent events to what is currently in the DB Table.

I guess the bottom line is that there is not a way to do this with DB Connect out of the box. If other folks are interested in doing something like this, I haven't heard from them yet.

Using the DB to trigger and push data to Splunk butts up against the same exact issue. Nothing would change. You'd still get duplicates without the ability to update in place.

A flat file lookup such as a csv uses a different syntax, is not indexed, and is just a superfluous step since you're constantly dumping for the db anyway. I'd just use the native dbquery command in DBX.

I don't mean to be rude, but you're not either understanding the issue or misunderstanding available options.

Understood, but you run into the same issues as the other answer. One would have to edit queries after every dump to only reference the most recent timestamps. Negating any automation.

Updating in place is not complex in the slightest. DBX could easily include a field to use a primary key, and update matching records. SQL's update command does this, so python would clearly have a native record set update function or one can easily be built.

rising column entry per job? Probably would need a stored procedure to make that happen.

Except in any large data set. The timestamp Splunk appends is per record transaction, so throughout a single dump there are several variations of the stamp.

So stats latest(_time) would not display all results of a dump, only the last grouped set.

One could use stats latest(_time) to create a generic search for the most recent data set.

This would completely negate automated reports, as with every single dump, one would have to change the query to match the range of Splunk's generated timestamps per event.

Even if you could not update existing records, you CAN mark them for deletion. So programatically the application could delete a matching row and recreate it with the new data. Caveat that Splunk does not release disk space for marked events, but that's easy to deal with.