I have a script that pulls events from my REST API for Splunk to index. My script runs on schedule.
I want to only pull new events, to prevent duplication and unnecessary traffic. My events have incrementing IDs.
To pull new events I need my script to remember what was the ID of the last pulled event, i.e. my script needs to persist state between runs. If Splunk instance restarts, I too wouldn't like to bring all the events from the beginning.
What are my options here? I would like not to read last ID by issuing query to Splunk.
Thanks!
↧