Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Manage alerts for different customers

adrifesa95
Engager
‎01-02-2024 02:25 AM

Good morning,

I explain my casuistry, I have a Splunk tenant that belongs to a big company with sucusarles in three zones. Each branch should only see the data of its zone. The indexes are constructed in the form, zone_technology, for example, eu_meraki.

Knowing this, I have created a series of alerts, which are shared for all the areas, and search in all the indexes. How could I make that the warning email when the alert is triggered, only reaches the contacts of an area?

 

Thank you

Labels (1)
Labels
0 Karma
Reply

adrifesa95
Engager
‎01-02-2024 03:07 AM

It's splunk cloud

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2024 04:06 AM

Hi @adrifesa95,

the question is: have you Enterprise Security or not?

anyway, if there isn't Enterprise Security you can apply my solution.

Ciao.

Giuseppe

0 Karma
Reply

adrifesa95
Engager
‎01-02-2024 04:08 AM

No we don't have. The problem is that I want to use the same alerts without have to clone, isn't it possible?

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2024 05:12 AM

Hi @adrifesa95,

it isn't so easy, you should:

  • create a lookup containing two columns:
    • area,
    • mail,
  • modify your alerts in this way:
<your_alert>
| lookup your_lookup.csv area OUTPUT mail
| sendmail to=mail

supponing that in your mail search, you have the area field, matchig the value in the lookup.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2024 03:01 AM

Hi @adrifesa95,

are you speaking of Splunk Enterprise or Enterprise Security?

If Enterprise Security it's a very hard job to impement multitenancy because ES isn't multitenant by default.

If in Splunk Enterprise, you could create different alerts for each zone, working only on the indexes of that area and sending  mails only to users of that area.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...