I am using Splunk DB Connect installed on a heavy forwarder to monitor database using a rising column. I need to make some minor changes to the query to tune it for faster execution. Need to understand how Splunk DB Connect identifies the folder name, the current value of rising column is stored? I am worried that when the query is changed, Splunk might detect the change and would ignore the current rising column value and would run the query without rising column [for the first time after the change] This might create a new folder to store the current value under var/lib/splunk/persistentstorage/dbx folder and would use the new value. This would result in lot of duplicate values that would have got already indexed so far.
Need a confirmation on whether we can edit/change the query without impacting the current persistent value of rising column. Please note that there are no changes to the rising column name. The only change is to add some hints and where condition to the existing query.
The current version of db connect I am using is version 1.1.6.
The current state of persistent storage is given below. Variable values are marked with << >> with dummy values.
'# Created at < <DateTimeStamp> >
<value class="sql-timestamp"> <<Latest Value of Raising Column FromLast Run>></value>