I'm looking into a way to use Splunk as a data integration tool - so that services like Salesforce can get information from Splunk, instead of relying on my server to call their API.

My logic is that if I report every event to Splunk, and Splunk has a REST API, then why report to additional services and not have them read from Splunk (or Splunk write to them).

I'd love to hear suggestions if anyone's accomplished such a setup - and has insights of considerations such as access tokens, API limitations, data enrichment, shortcuts (like cool Splunk apps that facilitate this) etc.

Examples that demonstrate different ways I thought to take:

1. I set up an alert for a specific kind of Splunk log (e.g. log for a user that deleted their profile) and the alert action uses script/webhook to make a POST request to Salesforce, letting it know a lead should be deleted.

2. I define a saved search/report that aggregates some numbers from logs describing user activities  - and set up a service to poll this via Splunk Cloud REST API and update accordingly.