I just finished an integration of the SCCM App and Splunk using Splunk DB Connect 2. Not sure where is the issue, but I've been seeing the same exact logs getting pulled from SCCM every 10 minutes (this is what I set the intervals to). The only different field is the time since it's 10 minutes different from each other, but the logs are identical.
1. time, raw log
2. time + 10 minutes, same raw log as above
3. time + 10 minutes + 10 minutes, same raw as above (#1)
How can I fix it to make Splunk DB Connect pulls the logs only once and make it aware of the same logs?
I worked with the customer support on this issue. This is their response if someone cares:
I see the following values for this attribute: tailrisingcolumncheckpointvalue = ThreatID. This is likely what is causing the errors regarding character conversion that I see in the logs.
This value is used as a marker for DB Connect to remember what value it last ingested from the database. This must be a unique and sequentially incrementing value like a RowID or some other unique value to each row.
You can set this checkpoint value to the first value of that column and Splunk will ingest all of the data from that point forward. If you do modify this value to an earlier checkpoint, please note that Splunk will re-index any column that has already been ingested from previous values so you may have duplicate data in your searches. I recommend, clearing the events ingested during your testing, finding the first value of this table in the database and re-ingesting all data from the beginning (if your intent is to collect all rows in the database since the beginning of time)