Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Which field to store meta data about alert begin deployed?

mosh
Explorer
‎06-10-2022 11:45 AM

I want to save some meta-data (operational history of the alert (beyond the text description)) along with alert as a json object in a field.  This is from automated  pipelines using sdk (nodejs/python) and POST API  to splunk servers.

Labels (1)
Labels
Tags (3)
0 Karma
Reply

mosh
Explorer
‎06-15-2022 03:10 PM

This has to part of savedsearch (alert/correlation search param), before it is deployed/updated, but should not affect splunk actions in anyway. Otherwise I can manage it myself (outside of splunk) as I do right now.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-10-2022 11:57 AM

Once events have been indexed (stored) no new fields can be added.  If you need to store additional information then you have a few options:

  1. Write it to a lookup file
  2. Write it to the KVStore
  3. Write it to a summary index (or a regular index)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...