I am still relatively new to SPLUNK. I am trying to index data out of SCCM. I have been able to configure a DB Input and this write information to an index which I can search successfully. However the index seems to be duplicating information every time I press "Enter" in my search (so first run I might get say 700000 events/rows, adjust my query and then I get 1.3 million, adjust my query and then 2.1 million etc.).

The table that I am targeting in SCCM (for info sake is v_GS_INSTALLED_SOFTWARE) so from an SCCM perspective it isn't going to grow greatly. The columns in the table provide the "date of the index search" or the "date of when the software was installed". There is not a good column to use as an indicator so that I can use something like a Rising Column to stop this behaviour. I have had a look at some of the documentation and it indicates maybe changing the input mode from "batch" to "tail" might help? Would this do the trick? Would this also resolve the issue where I am getting duplicate information?

I have my DBInput currently configured with:

Input mode = batch
Max rows = 1000000
Interval = 43200 (was set to 3600 which is probably what broke my license). This therefore means 12 hourly.