Getting Data In

Cross app enrichment

Path Finder

How does one enrich using data from another app space? or: How can one write enrichment data to another app space?

I have a need to enrich a search from data who's source is in another app space. The enrichment data is temporal in nature in that it can change on a moment's notice. The fields are mostly string data that deal with relationships and is derived from the source app event index. A scheduled job can be run to build the relationships out of events.

The environment is partitioned into several app spaces representing services, where users of one service do not have access to the index or knowledge objects in the app of another ; there is emphasis on role based access.  New to the environment is site reliability engineering where users from other services would be able to access the SLI/SLO (and possibly KPI) metrics of any other service.   My current thinking is that summary reporting to a common index (SRE) would work, but that needed enrichment data would be missing.

I was thinking that outputlookup would be right way to go to generate the data and share, but I have few controls as to where the CSV is made available. The controls create_context=[app|user|system] and createinapp=<bool> will only work if the share source has write access to the system level space. I could concatenate the fields of the CSV and write a numeric value of 1 to summary_index to achieve the effect, but somehow that feels wrong.

Guidance needed,


Labels (2)
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...