I am trying to create a KV Store that pulls events from an indexer. It should display the Event, Log Line, Domain, and IP. Additionally, it should have a comment box and name of the person who is adding the comment pulled from the user account making the change. The comment box should also have an audit trail since numerous users are able to input a comment for an event.
Can someone help me with this? How should i approach it? Any documentation that will allow me to do this?
Links with details below but kvstores can be appended just like lookup tables. So you just need to create a search like something below
your search | table event,longline,domain,ip | outputlookup yourkvstorename append=true
Really awesome write up on kvstores here.
And a link to how you can append a kvstore.
This sounds like you are trying to make something like the investigator timeline from Enterprise Security.
Also what you are trying to achieve is not what KV Stores are traditionally used for. Have a look at the Splunk Java SDK. With the java sdk you can write your own dashboards and as it's JS you have a lot of flexibility with the scripting language.