Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to configure an alert to be sent to multiple recipients using emails listed in a text file?

wingfoottablet
New Member
‎05-09-2016 03:00 PM

I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes to recipients. Our admin team is constantly changing, so we maintain flat text files with email addresses of who should receive the alerts. Is there a way I can set the alert to go to the emails listed in the .txt file and have that update automatically if the .txt file changes?

Use Case: I have an alert to go to our Schema Admins if the schema changes. When the alert fires, I'd like the alert to query the schemaadmins.txt to get the emails and email those users.

0 Karma
Reply

grijhwani
Motivator
‎05-09-2016 04:00 PM

I'd be inclined to fire off the alert to a single, collective address, and have the mail server expand it. That way you don't have to maintain the mail list if recipient addresses change. It becomes part of the natural id management of users. It's also just more readily achievable. Keeping your roles in text files seems a strangely archaic way of doing things. Do you not manage authentication, roles, mail groups, etc. with some kind of centralised directory service like LDAP or AD?

On a Linux Splunk server, you could conceivably have a cron job which recreates an app-packaged search/alert config, or simply use an address list as a recipient list in an alert-spawned script-generated e-mail.

0 Karma
Reply

wingfoottablet
New Member
‎05-09-2016 04:06 PM

Sadly no, I'm stuck with the archaic way of doing it. Our management isolates our Linux environment from Windows, so I've got only what's built into Splunk.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...