Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to configure an alert to be sent to multiple recipients using emails listed in a text file?

wingfoottablet
New Member
‎05-09-2016 03:00 PM

I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes to recipients. Our admin team is constantly changing, so we maintain flat text files with email addresses of who should receive the alerts. Is there a way I can set the alert to go to the emails listed in the .txt file and have that update automatically if the .txt file changes?

Use Case: I have an alert to go to our Schema Admins if the schema changes. When the alert fires, I'd like the alert to query the schemaadmins.txt to get the emails and email those users.

0 Karma
Reply

grijhwani
Motivator
‎05-09-2016 04:00 PM

I'd be inclined to fire off the alert to a single, collective address, and have the mail server expand it. That way you don't have to maintain the mail list if recipient addresses change. It becomes part of the natural id management of users. It's also just more readily achievable. Keeping your roles in text files seems a strangely archaic way of doing things. Do you not manage authentication, roles, mail groups, etc. with some kind of centralised directory service like LDAP or AD?

On a Linux Splunk server, you could conceivably have a cron job which recreates an app-packaged search/alert config, or simply use an address list as a recipient list in an alert-spawned script-generated e-mail.

0 Karma
Reply

wingfoottablet
New Member
‎05-09-2016 04:06 PM

Sadly no, I'm stuck with the archaic way of doing it. Our management isolates our Linux environment from Windows, so I've got only what's built into Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...