I have another way to do this without writing custom scripts. I haven't tried this myself and personally I'd use a different method. But since it seems you have not found a suitable answer yet let me add this idea. I didn't test this either but I don't see why it wouldn't work.
Step 1: Create your database input using SPlunk DB Connect and schedule it to run 3 times per day to import the entire data set each time
Step 2: Create a saved search that deletes the data in the index that the Splunk DB Connect input pushes data to. The saved search would be set to all time and would be: index=myindex | delete
This saved search would need to be scheduled to run before the db input runs.
Step 3: I'd create a special user specifically for this purpose and obviously don't share the search with other users and don't provide 'delete' capability to normal users.
Step 4: Optionally, you might want to periodically 'clean' the index because the delete command doesn't reclaim disk space.
Read about the delete command here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete
To clean the index you will have to shut down Splunk and run the following at command line (I'm on Linux but I imagine Windows is similar process):
First, issue this command at the command line to stop SPlunk:
sudo -H -u splunk /$splunk_home$/bin/splunk stop
Next, use the clean command to clean all events from an index:
sudo -H -u splunklnx /$splunk_home$/bin/splunk clean eventdata -index yourindexname
Last, restart Splunk:
sudo -H -u splunkuser /$splunk_home$/bin/splunk start
$splunk_home$ - refers to your own directory path
IMPORTANT: Notice this part: 'sudo -H -u splunkuser'
Depending on your configuration, you might have to run Splunk as a specific user. I do and so 'splunkuser' is the system username I've dedicated for Splunk. Again, it might depend on your own set of circumstances. But if I start splunk as root or another user, Splunk file ownership and permissions are changed & Splunk web runs into many problems. Unfortunately I figured out how to deal with this by experience. I started as root and to fix the problem I had to shut down splunk and change the owner of all the files in the splunk directory back to the 'splunkuser'.
... View more