I'd like to take various actions against real-time events from Splunk. What's considering the best practice for this? I'm not sure if it would be preferred to run a real-time search in Splunk and kick off a scripted alert for those events that I want to process further (running zcat on the $8 argument to the script to get at the events), or if it's better to run a "splunk rtsearch" from the CLI. Any pointers on how to really iterate through the rtsearch results, similar to something like this: splunk rtsearch "link down | table _time, host" -preview false -header false | while read time host; do something done ... View more