I am working on an addon to collect event results based on an alert and send it to an API endpoint. Once the response is a success the endpoint returns a success message in a JSON format and I Want to store it in a custom index and sourcetype.
I tried using the below code but the data is written to the Main index instead of my custom index. Is there a way to write the event into a custom index for an alert action build via the Splunk Add-on builder?
helper.addevent("hello", sourcetype="customsource")
helper.addevent("world", sourcetype="customsource")
helper.writeevents(index="mycustomindex", host="localhost", source="localhost")
Had a session with Splunk to check whether it is possible or not. They confirmed that it is not possible to write the event back to a custom index since the current code writes the data to the Main index as stash which will not be considered under license. So I have created HEC based API call to store the data to achieve my requirement.