I have one 1 primary index namely azure with 2 sourcetypes namely: mscs:kube-good and mscs:kube-audit-good. I believe they could be duplication of data logs between the 2 sourcetypes. What is the splunk queries that can tell me if there is duplication of logs between the 2 sourcetypes. Do they each have information that the other doesn't contain. Is there a lot of overlap? Please give me the splunk queries that will do this job.
To find duplicate events, try this query
index=azure sourcetype IN ("mscs:kube-good", "mscs:kube-audit-good")
| stats count by _raw
| where count>1
I'm afraid there are no magic queries to answer your other questions. You'll have to analyze the data in each sourcetype and craft queries as you go to work out answers.