Quick question:
I have a Splunk ES add-on used to send alerts data from Splunk to another server. The user set up a modular action to trigger the send.
However - the events I’m fetching seem to have no event id.
If I make an API query to the notable index, using the same query, the event IDs do return, along with the rest of the data.
Any explanation for this? I was thinking this could happen because the event isn’t actually created in Splunk by the time the modular action is triggered, and thus it does not have an ID yet.
Any thoughts?
↧