Splunk Suggestion / Re-architecture / Enhancement

[mwilco03]

Currently the Splunk config is set up in cron job style. This is somewhat Rube Goldberg-ian and is ripe for simplification. However in lack of a better solution I would submit this would be a plausible path forward. By employing the webhook from twistlock it will send a post request to an endpoint. In testing I have set up a flask (python) web server that upon receiving a post request (in this case from the webhook). It then fires off the poll_incidents and poll_forensics and follows the rest of the configuration flow. It could be deployed as a container alongside current containers in twistlock. More over it could then have environment variables assigned for example index that could generate the files that come along with the app.