I have created my own alert action that receives information from Splunk. The action is added to an existing alert. The alert is real-time, triggered per result.
The action goes to another service to pull more information (think of geo-location service that provides lat/long information provided the IP). I would like to add this additional information back to the alert.
How can I do it?
There is no way to edit an data that is already indexed in Splunk.
However you could do this:
1. Have your alert action take the information from Splunk and then the results from the service, then write all of this to a new log file.
2. Splunk the new log file.
3. Write searches in Splunk that combine the original information with the new log file information.
OR, you could use the Splunk KV store. Instead of writing all the stuff to a new log file, place an entry in a KV store collection. Then use the KV store collection as part of searches.
Regardless of approach (log file or KV store), be sure to add enough of the original information to the entry so that it can be correlated properly.
There is no way to edit an data that is already indexed in Splunk.
However you could do this:
1. Have your alert action take the information from Splunk and then the results from the service, then write all of this to a new log file.
2. Splunk the new log file.
3. Write searches in Splunk that combine the original information with the new log file information.
OR, you could use the Splunk KV store. Instead of writing all the stuff to a new log file, place an entry in a KV store collection. Then use the KV store collection as part of searches.
Regardless of approach (log file or KV store), be sure to add enough of the original information to the entry so that it can be correlated properly.