How splunk identifies if there are any tables modified in database, so that it will remove duplicates?
I'm going to make some assumptions.
You're talking about indexing data from a relational database using the Splunk DB-Connect app. When data in the database table(s) are modified, there is a timestamp column that is updated to show the row(s) modified have changed.
DB Connect is able to look for rows with an "updated timestamp" that is newer than its last check, and re-index the whole row. You WILL get duplicates. If the table has a usable primary key, then you could use the splunk dedup
command to remove values of the primary key fields from your search, keeping only the newest one.
Does this help?
Yes..Thanks for your inputs...