We've got a very interesting use case from a customer that we're trying to get set up for them, but we've been having problems because of some of the constraints of their environment. They are a call/monitoring center for a large company that monitors events from several different systems across their enterprise. Each system has an individual operations team that collects events which are then streamed along to the monitoring center in XML format so that the monitoring center can see them on their dashboards in real-time which is nice. However the events from each system are not normalized with common fields, especially regarding information that could be linked to a specific customer. They have all of their customer information in a separate database but don't have a way of mapping that to the incoming events. So, when they get a call from a customer they have no way of linking the customer probleman to specific events.
When a customer complaint comes in, we want the support staff to be able to enter the customer name in a form and first lookup that name in the customer database and return values that could be used as identifiers in related events like customer name, customer code, device number etc. We then want to search for those values in the event data.
Access: The center does not have access to the original events, just a single mixed stream of incoming events so the events cannot be divided into different sourcetypes (as far as I know). 4.2 does not support field extraction by event type, so I can not think of a way to break up the events to define their fields separately.
So I guess my question has two parts:
1) How can I execute a database lookup script using input from a form type search?
2) How can I take the results from the database lookup and search on them unrelated to field?
ie) Call Center entered Customer Name: Splunk
Database query returns: CUSTNAME=SPLUNK CUSTCODE=000001 DEVICENUM=01010101 etc.
Search string: search "SPLUNK" OR "00001" OR "01010101"
PS: I apologize for the long explanation. I just thought it would be useful to have some background information.