I have an external API subscription that I want to call when a specific field in my Splunk event is present (e.g. City_Name). The REST API call would query the external API for <City_Name> and add the returned data (in JSON format) into Splunk to enrich the event.
I've seen something similar with using "lookup" but looking for a tutorial on how to build this so that when the event field is present, the external API can be called to download the additional enrichment data.
Suggestions / tutorials on how I might go about implementing this in Splunk?
Thanks.
... View more