Alerting

Is there a way to configure an alert to be sent to multiple recipients using emails listed in a text file?

wingfoottablet
New Member

I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes to recipients. Our admin team is constantly changing, so we maintain flat text files with email addresses of who should receive the alerts. Is there a way I can set the alert to go to the emails listed in the .txt file and have that update automatically if the .txt file changes?

Use Case: I have an alert to go to our Schema Admins if the schema changes. When the alert fires, I'd like the alert to query the schemaadmins.txt to get the emails and email those users.

0 Karma

grijhwani
Motivator

I'd be inclined to fire off the alert to a single, collective address, and have the mail server expand it. That way you don't have to maintain the mail list if recipient addresses change. It becomes part of the natural id management of users. It's also just more readily achievable. Keeping your roles in text files seems a strangely archaic way of doing things. Do you not manage authentication, roles, mail groups, etc. with some kind of centralised directory service like LDAP or AD?

On a Linux Splunk server, you could conceivably have a cron job which recreates an app-packaged search/alert config, or simply use an address list as a recipient list in an alert-spawned script-generated e-mail.

0 Karma

wingfoottablet
New Member

Sadly no, I'm stuck with the archaic way of doing it. Our management isolates our Linux environment from Windows, so I've got only what's built into Splunk.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...