It is technically possible to do what you are asking: create a service account that has permissions to run Splunk queries that use the delete command, which does not delete data from the underlying storage but does prevent the events from being returned in searches. Here's some documentation on this:
And then it is possible to feed Splunk new events with the same timestamps as the prior events but with revised data.
However, this is a terrible idea. Allowing a service account to delete data at will is asking for trouble. Even though you can, you definitely should not.
By far, your best bet is to go with your final suggestion - to log all the events/data and use SPL to find the correct data. This means you should give some good thought now, while you are architecting your script and processes, to how you will correlate revised logs and clearly identify them.
... View more