Thanks for the quick reponse. Here's a few thoughts on that approach:
The alert messages would need to be parameterized and would contain data unique to the search result. I think it's possible to dynamically generate lookup files. Any recommendations or best practices on how to do this?
One other consideration: this alert lookup file will become really big and most of the entries are only relevant for 1-2 weeks. It would be better to save the results in the a Splunk index and apply JOINs as needed. Or, I could just append the message text and severity as a field on one of the events.
... View more