We are planning to ingest Oracle standard auditing and FGA logs (both stored in Oracle DB tables) via DBConnect into Splunk. Does anyone here know if Splunk updates the DBA_AUDIT_MGMT_LAST_ARCH_TS value for the audit trails after it collects the data? This value is a timestamp tells the source Oracle database that the audit data has been collected by the external tool, and allows the DBA's to know that the audit logs have been collected from the database. In turn, this let's the database purge jobs execute and delete the audit data from the database since it has already been collected by Splunk.
I do not think that Splunk will update the LAST_ARCHIVE_TIMESTAMP - not by itself.
However, in the doc Splunk says that it does support calling a procedure of an Oracle Database
https://docs.splunk.com/Documentation/DBX/3.7.0/DeployDBX/Commands
But I do not know if its only the case of procedures returning events as cursor to be pulled by DB Connect, or even the (your) case of a procedure just doing some actions and returning no rows.
If the second is true, I guess that calling
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type IN PLS_INTEGER,
last_archive_time IN TIMESTAMP,
rac_instance_number IN PLS_INTEGER DEFAULT NULL,
container IN PLS_INTEGER DEFAULT CONTAINER_CURRENT,
database_id IN NUMBER DEFAULT NULL,
container_guid IN VARCHAR2 DEFAULT NULL);
https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_AUDIT_MGMT.html#GUID-75EE6B...
... will set the right timestamp