I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes to recipients. Our admin team is constantly changing, so we maintain flat text files with email addresses of who should receive the alerts. Is there a way I can set the alert to go to the emails listed in the .txt file and have that update automatically if the .txt file changes?
Use Case: I have an alert to go to our Schema Admins if the schema changes. When the alert fires, I'd like the alert to query the schemaadmins.txt to get the emails and email those users.
I'd be inclined to fire off the alert to a single, collective address, and have the mail server expand it. That way you don't have to maintain the mail list if recipient addresses change. It becomes part of the natural id management of users. It's also just more readily achievable. Keeping your roles in text files seems a strangely archaic way of doing things. Do you not manage authentication, roles, mail groups, etc. with some kind of centralised directory service like LDAP or AD?
On a Linux Splunk server, you could conceivably have a cron job which recreates an app-packaged search/alert config, or simply use an address list as a recipient list in an alert-spawned script-generated e-mail.
Sadly no, I'm stuck with the archaic way of doing it. Our management isolates our Linux environment from Windows, so I've got only what's built into Splunk.