I feel like this is a known issue & I feel like it's been around for a while, reaching out to see if anyone has worked around this. I found one single post related to this where the only suggestion was to change how frequently Splunk reads in data, but tbh not much of an option here because Splunk is already known to peg out DBCPU time in my org.

Short version of it is I'm having trouble with Splunk only ingesting a job from the AsyncApexJob object in my Salesforce org once, even though that job will get updated repeatedly as it goes through statuses of Queued, Running, Completed, etc. It's not every job that does this, but it's frequently enough that I can't build an accurate alert off it.

There's a release note for add-on 4.2.2 that says this is a known issue: https://docs.splunk.com/Documentation/AddOns/released/Salesforce/Releasenotes#Known_issues however I'm on 4.0.3 of the Salesforce addon and my Splunk Enterprise is 7.3.3. 

Has anyone else noticed this, worked around it without changing the frequency Splunk hits the org, is it to be fixed in a future update, etc.?