Alerting

Is there a way to configure an alert to be sent to multiple recipients using emails listed in a text file?

wingfoottablet
New Member

I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes to recipients. Our admin team is constantly changing, so we maintain flat text files with email addresses of who should receive the alerts. Is there a way I can set the alert to go to the emails listed in the .txt file and have that update automatically if the .txt file changes?

Use Case: I have an alert to go to our Schema Admins if the schema changes. When the alert fires, I'd like the alert to query the schemaadmins.txt to get the emails and email those users.

0 Karma

grijhwani
Motivator

I'd be inclined to fire off the alert to a single, collective address, and have the mail server expand it. That way you don't have to maintain the mail list if recipient addresses change. It becomes part of the natural id management of users. It's also just more readily achievable. Keeping your roles in text files seems a strangely archaic way of doing things. Do you not manage authentication, roles, mail groups, etc. with some kind of centralised directory service like LDAP or AD?

On a Linux Splunk server, you could conceivably have a cron job which recreates an app-packaged search/alert config, or simply use an address list as a recipient list in an alert-spawned script-generated e-mail.

0 Karma

wingfoottablet
New Member

Sadly no, I'm stuck with the archaic way of doing it. Our management isolates our Linux environment from Windows, so I've got only what's built into Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...