I have certain events running into my index that have more of a describing nature to other events. Some kind of metadata.
Now as I learned metadata to events is best stored in a lookup. Let's say a kv-store.
Question is how to add a new line to this lookup whenever a metadata event arrives in my index?
I have tried an alert search that runs in real time and has an outputlookup statement in it but that doesn't seem to write anything to the lookup event though the alert is triggered on new events. Am I just doing it wrong or is this something that couldn't work?
↧