I'm writing a Splunk App and looking for a few pointers on how to approach the following:
- A scripted input requests events from a rest api.
- Sometimes, but not often, an event needs to be corrected after it's been indexed.
- Is this possible?
- What I was thinking is that my input script could run a search against the API and then delete the old event and index the updated event.
- This brings up the question of whether or not the input script would have the correct permissions to search / delete events via the rest api.
- The events are stored in an index specific to this application.
- The only other option would be to just index the updated event and use splunk search language to filter out old events and only look at ones with the most recent indexed-on-date
↧