Create investigation in ES using SPL outputlookup ...

Splunk Enterprise Security

Hi Everyone

I am trying to create an investigation in ES using SPL.

Since ES is most work as lookup/kvstore, so I try to run the following SPL

| makeresults
| eval class_name="investigation",
    collaborators="[{\"name\": \"AAAAAA\", \"write\": true}, {\"name\": \"BBBBBB\", \"write\": true}]",
    create_time=1668731443,
    creator="CCCCCC",
    description="DDDDDDD",
    mod_time=1668731608,
    status="[{\"name\": \"In Progress\", \"time\": 1668739809, \"id\": \"investigation:2\"}]",
    title="EEEEEEE",
    version=1,
    comments="[]",
    tags="[]"
| table class_name, collaborators, create_time, creator, description, mod_time, status, title, version, comments, tags | outputlookup append=true investigation

I am able to add an entry in the KV store, but when I load the investigation tab in ES is breaks and appear Error as "Expect an array" and not able to load the page

Has anyone done this before?

Is that the right way, or is there another way to use SPL to create an investigation?

Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...