How to set up dynamic email list mapping email addresses to modules listed in Java exception


Hi, we are using Splunk for many different things, but for this question the relevant part is that we use it to get the Java server log into Splunk. Currently, whenever there's an exception we notify our entire team, however, as the team size has grown we need a smarter solution to reduce the noise in everyone's inbox.

We maintain a CSV locally that maps module name (listed in the java exceptions) to email address of the module owner. Is it possible to have Splunk continually read this mapping from some source (we can maintain it on the server itself, or in the cloud, google docs, etc) and then extract the module name from the Java exception and route the email to the correct recipient? I'm not sure how to implement this logic in Splunk so any advice that can be provided would be appreciated.

0 Karma


You can extract per event all the modules, expand the field with all modules, create an automatic lookup that enriches ypur data with the email of the owner using your csv as lookup file and then use the email filed as a token in the email alert action destination and alert per result.

So if you have 1 event with say 10 modules, you’ll get 10 rows with module, email and the alert will trigger sending on email per row.

Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...