When creating an input in DB DatLab of Splunk, you can select InputType in Setting.
There are, the meaning of each is the following recognition.
1Batch Input ... Each time the same query is thrown to the database. All data is acquired every time without considering which record has been read. In that case, Splunk adds data to the newly read data while leaving the previously read data.
2Rising Column ... Splunk records which record has been read, and sets it so that it can be read from the next read timing. It is suitable for indexing a table where data is inserted each time.
At present, I created and searched Input for both Batch and Rising for the number of queries for the year and month,
In the case of Batch, it acquires the number of real-time each time of search, and Rising can acquire only the data of the previous day even though CheckPoint is specified up to hour, minute and second.
Q1: Please let me know if you know the URL for the Batch and Rising specifications.
Q2: If you want to get the whole number of queries in real time every time, is it good to get in Batch mode?
And also for you 2nd question, i didn't get the whole queries thing? The best way to try to upload the data to splunk using rising column, whenever new entry in the database, it will get indexed, and then you can do whatever condition or transformation you want to do. As in batch mode is for one time indexing, otherwise it will consume lot of license.
other way is to directly call the query to show result in Splunk search screen: |dbxquery connection=<connection_name> query=<query?