Is there a way to add an additional field to every event for acknowledgment?
I'm analyzing failed login attempts. As some of them happened for a known reason I'd like to mark them somehow in the final report.
Yes, we need this!!!
I am doing something similar to what you're trying to do -- basically I am tagging events in splunk with change ticket numbers using lookups. You should be able to tune this to your requirements:
This sure would be a nice feature.